syzbot


KASAN: use-after-free Read in disk_unblock_events

Status: upstream: reported C repro on 2019/04/19 06:17
Reported-by: syzbot+dbb73c8690788e10d32e@syzkaller.appspotmail.com
First crash: 1868d, last: 628d
Fix bisection: failed (error log, bisect log)
  
Similar bugs (5)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
android-44 KASAN: use-after-free Read in disk_unblock_events C 367 1638d 1875d 0/2 public: reported C repro on 2019/04/12 00:00
android-49 KASAN: use-after-free Read in disk_unblock_events C 665 1971d 2411d 0/3 closed as invalid on 2019/01/08 21:30
android-49 KASAN: use-after-free Read in disk_unblock_events (2) C 200 1641d 1876d 0/3 public: reported C repro on 2019/04/11 08:44
upstream KASAN: use-after-free Read in disk_unblock_events block C 65 2297d 2403d 5/26 fixed on 2018/04/09 09:36
android-414 KASAN: use-after-free Read in disk_unblock_events C 114 1643d 1876d 0/1 public: reported C repro on 2019/04/11 00:00
Fix bisection attempts (19)
Created Duration User Patch Repo Result
2022/10/13 02:22 0m bisect fix linux-4.14.y error job log (0)
2022/08/18 18:20 27m bisect fix linux-4.14.y job log (0) log
2022/07/19 17:55 24m bisect fix linux-4.14.y job log (0) log
2022/06/19 17:34 21m bisect fix linux-4.14.y job log (0) log
2022/05/20 17:05 28m bisect fix linux-4.14.y job log (0) log
2022/04/20 16:33 32m bisect fix linux-4.14.y job log (0) log
2022/03/02 21:37 22m bisect fix linux-4.14.y job log (0) log
2022/01/28 22:30 21m bisect fix linux-4.14.y job log (0) log
2021/12/28 10:02 24m bisect fix linux-4.14.y job log (0) log
2021/11/28 09:32 27m bisect fix linux-4.14.y job log (0) log
2021/10/29 09:09 21m bisect fix linux-4.14.y job log (0) log
2021/09/25 22:48 27m bisect fix linux-4.14.y job log (0) log
2021/08/26 22:26 21m bisect fix linux-4.14.y job log (0) log
2021/07/27 21:58 28m bisect fix linux-4.14.y job log (0) log
2021/06/27 21:33 24m bisect fix linux-4.14.y job log (0) log
2021/05/28 21:06 26m bisect fix linux-4.14.y job log (0) log
2021/03/29 18:51 21m bisect fix linux-4.14.y job log (0) log
2020/10/19 00:16 25m bisect fix linux-4.14.y job log (0) log
2020/04/29 08:03 25m bisect fix linux-4.14.y job log (0) log

Sample crash report:
md: md1 stopped.
md: md1 stopped.
md: md1 stopped.
md: md1 stopped.
==================================================================
BUG: KASAN: use-after-free in disk_unblock_events+0x4b/0x50 block/genhd.c:1647
md: md1 stopped.
Read of size 8 at addr ffff8880b38d4888 by task syz-executor561/8085

CPU: 1 PID: 8085 Comm: syz-executor561 Not tainted 4.14.217-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x1b2/0x281 lib/dump_stack.c:58
 print_address_description.cold+0x54/0x1d3 mm/kasan/report.c:252
 kasan_report_error.cold+0x8a/0x191 mm/kasan/report.c:351
 kasan_report mm/kasan/report.c:409 [inline]
 __asan_report_load8_noabort+0x68/0x70 mm/kasan/report.c:430
 disk_unblock_events+0x4b/0x50 block/genhd.c:1647
 __blkdev_get+0x83b/0x1090 fs/block_dev.c:1556
 blkdev_get+0x88/0x890 fs/block_dev.c:1611
 blkdev_open+0x1cc/0x250 fs/block_dev.c:1772
 do_dentry_open+0x44b/0xec0 fs/open.c:777
 vfs_open+0x105/0x220 fs/open.c:888
 do_last fs/namei.c:3428 [inline]
 path_openat+0x628/0x2970 fs/namei.c:3569
md: md1 stopped.
md: md1 stopped.
 do_filp_open+0x179/0x3c0 fs/namei.c:3603
md: md1 stopped.
 do_sys_open+0x296/0x410 fs/open.c:1081
 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x46/0xbb
RIP: 0033:0x447369
RSP: 002b:00007f1fb6e9fd98 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 00000000006dec58 RCX: 0000000000447369
RDX: 0000000000000000 RSI: 00000000200020c0 RDI: 00000000ffffff9c
RBP: 00000000006dec50 R08: 00007f1fb6ea0700 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dec5c
R13: 0000000020000000 R14: 00000000004af9e0 R15: 0000000000000001

Allocated by task 8077:
 save_stack mm/kasan/kasan.c:447 [inline]
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_kmalloc+0xeb/0x160 mm/kasan/kasan.c:551
 kmem_cache_alloc_node_trace+0x153/0x400 mm/slab.c:3661
 kmalloc_node include/linux/slab.h:526 [inline]
 kzalloc_node include/linux/slab.h:672 [inline]
 alloc_disk_node+0x5d/0x3d0 block/genhd.c:1390
 md_alloc+0x22a/0x890 drivers/md/md.c:5332
 md_probe+0x28/0x40 drivers/md/md.c:5389
 kobj_lookup+0x21f/0x400 drivers/base/map.c:124
 get_gendisk+0x36/0x230 block/genhd.c:788
 __blkdev_get+0x3e5/0x1090 fs/block_dev.c:1449
 blkdev_get+0x88/0x890 fs/block_dev.c:1611
 blkdev_open+0x1cc/0x250 fs/block_dev.c:1772
 do_dentry_open+0x44b/0xec0 fs/open.c:777
 vfs_open+0x105/0x220 fs/open.c:888
 do_last fs/namei.c:3428 [inline]
 path_openat+0x628/0x2970 fs/namei.c:3569
 do_filp_open+0x179/0x3c0 fs/namei.c:3603
 do_sys_open+0x296/0x410 fs/open.c:1081
 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x46/0xbb

Freed by task 8085:
 save_stack mm/kasan/kasan.c:447 [inline]
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_slab_free+0xc3/0x1a0 mm/kasan/kasan.c:524
 __cache_free mm/slab.c:3496 [inline]
 kfree+0xc9/0x250 mm/slab.c:3815
 device_release+0xf0/0x1a0 drivers/base/core.c:831
 kobject_cleanup lib/kobject.c:646 [inline]
 kobject_release lib/kobject.c:675 [inline]
 kref_put include/linux/kref.h:70 [inline]
 kobject_put+0x251/0x550 lib/kobject.c:692
 put_disk+0x1f/0x30 block/genhd.c:1455
 __blkdev_get+0x7a6/0x1090 fs/block_dev.c:1549
 blkdev_get+0x88/0x890 fs/block_dev.c:1611
 blkdev_open+0x1cc/0x250 fs/block_dev.c:1772
 do_dentry_open+0x44b/0xec0 fs/open.c:777
 vfs_open+0x105/0x220 fs/open.c:888
 do_last fs/namei.c:3428 [inline]
 path_openat+0x628/0x2970 fs/namei.c:3569
 do_filp_open+0x179/0x3c0 fs/namei.c:3603
 do_sys_open+0x296/0x410 fs/open.c:1081
 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x46/0xbb

The buggy address belongs to the object at ffff8880b38d4300
 which belongs to the cache kmalloc-2048 of size 2048
The buggy address is located 1416 bytes inside of
 2048-byte region [ffff8880b38d4300, ffff8880b38d4b00)
The buggy address belongs to the page:
page:ffffea0002ce3500 count:1 mapcount:0 mapping:ffff8880b38d4300 index:0x0 compound_mapcount: 0
flags: 0xfff00000008100(slab|head)
raw: 00fff00000008100 ffff8880b38d4300 0000000000000000 0000000100000003
raw: ffffea0002bf19a0 ffffea0002d069a0 ffff88813fe80c40 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8880b38d4780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8880b38d4800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8880b38d4880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                      ^
 ffff8880b38d4900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8880b38d4980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (129):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2021/01/28 02:59 linux-4.14.y 2d2791fce891 a57db36f .config console log report syz C ci2-linux-4-14 KASAN: use-after-free Read in disk_unblock_events
2020/12/30 00:59 linux-4.14.y 1752938529c6 80910769 .config console log report syz C ci2-linux-4-14
2020/02/11 12:52 linux-4.14.y e0f8b8a65a47 084454ae .config console log report syz C ci2-linux-4-14
2020/01/11 18:45 linux-4.14.y b0cdffaa546e 4c04afaa .config console log report syz C ci2-linux-4-14
2019/11/08 19:18 linux-4.14.y c9fda4f22428 1e35461e .config console log report syz C ci2-linux-4-14
2019/11/03 03:32 linux-4.14.y ddef1e8e3f6e d603afc9 .config console log report syz C ci2-linux-4-14
2019/10/28 17:54 linux-4.14.y b98aebd29824 439d7b14 .config console log report syz C ci2-linux-4-14
2019/08/25 02:32 linux-4.14.y 45f092f9e9cb d21c5d9d .config console log report syz C ci2-linux-4-14
2019/08/01 15:59 linux-4.14.y 10d6aa565d05 835dffe7 .config console log report syz C ci2-linux-4-14
2019/07/31 19:54 linux-4.14.y 10d6aa565d05 995b2a26 .config console log report syz C ci2-linux-4-14
2019/07/25 10:43 linux-4.14.y ff33472c282e 32329ceb .config console log report syz C ci2-linux-4-14
2019/06/20 04:34 linux-4.14.y bb263a2a2d43 34bf9440 .config console log report syz C ci2-linux-4-14
2019/05/02 10:44 linux-4.14.y 1c046f373132 1852eb18 .config console log report syz C ci2-linux-4-14
2019/04/21 22:30 linux-4.14.y 68d7a45eec10 b0e8efcb .config console log report syz C ci2-linux-4-14
2019/04/19 05:16 linux-4.14.y 58b454ebf81e b0e8efcb .config console log report syz C ci2-linux-4-14
2020/01/22 07:01 linux-4.14.y c1141b3aab36 8eda0b95 .config console log report syz ci2-linux-4-14
2019/11/20 17:21 linux-4.14.y 775d01b65b5d 432c7650 .config console log report syz ci2-linux-4-14
2019/07/17 10:51 linux-4.14.y aea8526edf59 0d10349c .config console log report syz ci2-linux-4-14
2022/09/09 11:05 linux-4.14.y 65640c873dcf 90058bdc .config console log report info ci2-linux-4-14 KASAN: use-after-free Read in disk_unblock_events
2022/03/21 14:53 linux-4.14.y eb045674aab3 e2d91b1d .config console log report info ci2-linux-4-14 KASAN: use-after-free Read in disk_unblock_events
2022/01/31 20:26 linux-4.14.y b86ee2b7ae42 6b7c57fe .config console log report info ci2-linux-4-14 KASAN: use-after-free Read in disk_unblock_events
2021/12/29 21:43 linux-4.14.y a6ca7c65b137 6cc879d4 .config console log report info ci2-linux-4-14 KASAN: use-after-free Read in disk_unblock_events
2021/04/28 21:06 linux-4.14.y 7d7d1c0ab3eb 77e2b668 .config console log report info ci2-linux-4-14 KASAN: use-after-free Read in disk_unblock_events
2021/04/10 06:11 linux-4.14.y 0cc244011f40 6a81331a .config console log report info ci2-linux-4-14 KASAN: use-after-free Read in disk_unblock_events
2021/02/27 18:23 linux-4.14.y 3242aa3a635c 4c37c133 .config console log report info ci2-linux-4-14 KASAN: use-after-free Read in disk_unblock_events
2021/02/25 15:30 linux-4.14.y 3242aa3a635c 76f7fc95 .config console log report info ci2-linux-4-14 KASAN: use-after-free Read in disk_unblock_events
2021/02/21 02:52 linux-4.14.y 29c52025152b 3e5ed8b4 .config console log report info ci2-linux-4-14 KASAN: use-after-free Read in disk_unblock_events
2021/02/20 10:39 linux-4.14.y 29c52025152b 3e5ed8b4 .config console log report info ci2-linux-4-14 KASAN: use-after-free Read in disk_unblock_events
2021/02/18 10:35 linux-4.14.y 2c8a3fceddf0 14052202 .config console log report info ci2-linux-4-14 KASAN: use-after-free Read in disk_unblock_events
2021/02/11 03:05 linux-4.14.y 2c8a3fceddf0 a52ee10a .config console log report info ci2-linux-4-14 KASAN: use-after-free Read in disk_unblock_events
2021/02/10 06:55 linux-4.14.y 2c8a3fceddf0 2bd9619f .config console log report info ci2-linux-4-14 KASAN: use-after-free Read in disk_unblock_events
2021/01/29 00:32 linux-4.14.y 2d2791fce891 7df34f59 .config console log report info ci2-linux-4-14 KASAN: use-after-free Read in disk_unblock_events
2021/01/14 14:05 linux-4.14.y f79dc86058bc 269d24e8 .config console log report info ci2-linux-4-14
2020/12/26 06:34 linux-4.14.y 3f2ecb86cb90 821e0b09 .config console log report info ci2-linux-4-14
2020/12/19 20:35 linux-4.14.y 3f2ecb86cb90 04201c06 .config console log report info ci2-linux-4-14
2020/12/14 19:33 linux-4.14.y 3f2ecb86cb90 97183ed7 .config console log report info ci2-linux-4-14
2020/12/07 04:14 linux-4.14.y c196b3a9c83a c521566d .config console log report info ci2-linux-4-14
2020/11/20 09:07 linux-4.14.y 8961076ed318 0767f13f .config console log report info ci2-linux-4-14
2020/11/17 12:54 linux-4.14.y 27ce4f2a6817 bd2a760b .config console log report info ci2-linux-4-14
2020/11/11 11:06 linux-4.14.y 27ce4f2a6817 cca87986 .config console log report info ci2-linux-4-14
2020/11/10 02:59 linux-4.14.y 6b6446efedb2 cba33199 .config console log report info ci2-linux-4-14
2020/10/24 17:06 linux-4.14.y 5b7a52cd2eef a1839e81 .config console log report info ci2-linux-4-14
2020/09/19 00:16 linux-4.14.y cbfa1702aaf6 53ce8104 .config console log report info ci2-linux-4-14
2020/09/17 11:53 linux-4.14.y cbfa1702aaf6 8247808b .config console log report info ci2-linux-4-14
2020/09/08 22:47 linux-4.14.y 2f166cdcf8a9 abf9ba4f .config console log report ci2-linux-4-14
2020/08/26 12:26 linux-4.14.y d7e78d08fa77 318430cb .config console log report ci2-linux-4-14
2020/08/13 15:29 linux-4.14.y 14b58326976d ee7cb8b6 .config console log report ci2-linux-4-14
2020/07/18 00:48 linux-4.14.y b850307b279c 9c812472 .config console log report ci2-linux-4-14
2020/07/17 10:31 linux-4.14.y b850307b279c 54b3c45e .config console log report ci2-linux-4-14
2020/06/29 10:47 linux-4.14.y b850307b279c 3ff434cc .config console log report ci2-linux-4-14
2020/06/24 21:42 linux-4.14.y b850307b279c 9d60b18e .config console log report ci2-linux-4-14
2020/06/19 08:19 linux-4.14.y b850307b279c bc258b50 .config console log report ci2-linux-4-14
2020/06/17 07:05 linux-4.14.y b850307b279c b9f3810b .config console log report ci2-linux-4-14
2020/06/16 10:29 linux-4.14.y b850307b279c baca2611 .config console log report ci2-linux-4-14
2020/06/13 22:52 linux-4.14.y b850307b279c dbce178a .config console log report ci2-linux-4-14
2020/06/09 13:27 linux-4.14.y c6db52a88798 092934c1 .config console log report ci2-linux-4-14
2020/06/01 09:20 linux-4.14.y 4f68020fef1c a0331e89 .config console log report ci2-linux-4-14
2020/05/31 20:58 linux-4.14.y 4f68020fef1c a0331e89 .config console log report ci2-linux-4-14
2020/05/29 17:12 linux-4.14.y 4f68020fef1c bed08304 .config console log report ci2-linux-4-14
2020/05/16 08:20 linux-4.14.y ab9dfda23248 37bccd4e .config console log report ci2-linux-4-14
2020/05/15 11:06 linux-4.14.y ab9dfda23248 2d572622 .config console log report ci2-linux-4-14
2020/05/10 13:13 linux-4.14.y ab9dfda23248 8742a2b9 .config console log report ci2-linux-4-14
2020/03/30 08:03 linux-4.14.y 01364dad1d45 05736b29 .config console log report ci2-linux-4-14
2020/03/26 20:05 linux-4.14.y 01364dad1d45 6d25c5a0 .config console log report ci2-linux-4-14
2020/03/24 09:23 linux-4.14.y 01364dad1d45 33e14df3 .config console log report ci2-linux-4-14
2020/03/20 19:55 linux-4.14.y 01364dad1d45 2c31c529 .config console log report ci2-linux-4-14
2020/03/12 14:35 linux-4.14.y 12cd844a39ed d850e9d0 .config console log report ci2-linux-4-14
2020/03/03 08:47 linux-4.14.y 78d697fc93f9 350a7a26 .config console log report ci2-linux-4-14
2020/02/28 19:16 linux-4.14.y 78d697fc93f9 c88c7b75 .config console log report ci2-linux-4-14
* Struck through repros no longer work on HEAD.