syzbot


KASAN: use-after-free Read in lo_open

Status: upstream: reported syz repro on 2022/12/05 22:47
Reported-by: syzbot+e0260a7e30d28d995dd4@syzkaller.appspotmail.com
First crash: 478d, last: 1d18h
Last patch testing requests (10)
Created Duration User Patch Repo Result
2024/02/28 02:52 14m retest repro android12-5.4 report log
2024/02/28 02:52 14m retest repro android12-5.4 report log
2024/02/28 02:52 14m retest repro android12-5.4 report log
2024/02/28 02:52 6m retest repro android12-5.4 report log
2024/02/28 02:52 16m retest repro android12-5.4 report log
2024/01/13 19:32 6m retest repro android12-5.4 report log
2024/01/13 19:32 6m retest repro android12-5.4 report log
2024/01/13 19:32 16m retest repro android12-5.4 report log
2024/01/13 19:32 8m retest repro android12-5.4 report log
2024/01/13 19:32 15m retest repro android12-5.4 report log

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in mutex_can_spin_on_owner kernel/locking/mutex.c:617 [inline]
BUG: KASAN: use-after-free in mutex_optimistic_spin kernel/locking/mutex.c:661 [inline]
BUG: KASAN: use-after-free in __mutex_lock_common kernel/locking/mutex.c:973 [inline]
BUG: KASAN: use-after-free in __mutex_lock+0xcd7/0x1060 kernel/locking/mutex.c:1114
Read of size 4 at addr ffff8881d8a42f78 by task syz-executor.1/410

CPU: 1 PID: 410 Comm: syz-executor.1 Not tainted 5.4.265-syzkaller-00009-g43a5ead9254d #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1d8/0x241 lib/dump_stack.c:118
 print_address_description+0x8c/0x600 mm/kasan/report.c:384
 __kasan_report+0xf3/0x120 mm/kasan/report.c:516
 kasan_report+0x30/0x60 mm/kasan/common.c:653
 mutex_can_spin_on_owner kernel/locking/mutex.c:617 [inline]
 mutex_optimistic_spin kernel/locking/mutex.c:661 [inline]
 __mutex_lock_common kernel/locking/mutex.c:973 [inline]
 __mutex_lock+0xcd7/0x1060 kernel/locking/mutex.c:1114
 mutex_lock_killable+0xd8/0x110 kernel/locking/mutex.c:1348
 lo_open+0x18/0xc0 drivers/block/loop.c:1899
 __blkdev_get+0xb38/0x1160 fs/block_dev.c:1644
 blkdev_get+0x2de/0x3a0 fs/block_dev.c:1714
 do_dentry_open+0x964/0x1130 fs/open.c:796
 do_last fs/namei.c:3515 [inline]
 path_openat+0x2992/0x3480 fs/namei.c:3634
 do_filp_open+0x20b/0x450 fs/namei.c:3664
 do_sys_open+0x39c/0x810 fs/open.c:1113
 do_syscall_64+0xca/0x1c0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x5c/0xc1

Allocated by task 402:
 save_stack mm/kasan/common.c:70 [inline]
 set_track mm/kasan/common.c:78 [inline]
 __kasan_kmalloc+0x171/0x210 mm/kasan/common.c:529
 slab_post_alloc_hook mm/slab.h:584 [inline]
 slab_alloc_node mm/slub.c:2829 [inline]
 slab_alloc mm/slub.c:2837 [inline]
 kmem_cache_alloc+0xd9/0x250 mm/slub.c:2842
 kmem_cache_alloc_node include/linux/slab.h:427 [inline]
 alloc_task_struct_node kernel/fork.c:171 [inline]
 dup_task_struct+0x4f/0x600 kernel/fork.c:882
 copy_process+0x56d/0x3230 kernel/fork.c:1889
 _do_fork+0x197/0x900 kernel/fork.c:2399
 __do_sys_clone3 kernel/fork.c:2688 [inline]
 __se_sys_clone3 kernel/fork.c:2675 [inline]
 __x64_sys_clone3+0x2da/0x300 kernel/fork.c:2675
 do_syscall_64+0xca/0x1c0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x5c/0xc1

Freed by task 17:
 save_stack mm/kasan/common.c:70 [inline]
 set_track mm/kasan/common.c:78 [inline]
 kasan_set_free_info mm/kasan/common.c:345 [inline]
 __kasan_slab_free+0x1b5/0x270 mm/kasan/common.c:487
 slab_free_hook mm/slub.c:1455 [inline]
 slab_free_freelist_hook mm/slub.c:1494 [inline]
 slab_free mm/slub.c:3080 [inline]
 kmem_cache_free+0x10b/0x2c0 mm/slub.c:3096
 __rcu_reclaim kernel/rcu/rcu.h:222 [inline]
 rcu_do_batch+0x492/0xa00 kernel/rcu/tree.c:2167
 rcu_core+0x4c8/0xcb0 kernel/rcu/tree.c:2387
 __do_softirq+0x23b/0x6b7 kernel/softirq.c:292

The buggy address belongs to the object at ffff8881d8a42f40
 which belongs to the cache task_struct of size 3904
The buggy address is located 56 bytes inside of
 3904-byte region [ffff8881d8a42f40, ffff8881d8a43e80)
The buggy address belongs to the page:
page:ffffea0007629000 refcount:1 mapcount:0 mapping:ffff8881f5cf9900 index:0x0 compound_mapcount: 0
flags: 0x8000000000010200(slab|head)
raw: 8000000000010200 dead000000000100 dead000000000122 ffff8881f5cf9900
raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC)
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook mm/page_alloc.c:2165 [inline]
 prep_new_page+0x18f/0x370 mm/page_alloc.c:2171
 get_page_from_freelist+0x2d13/0x2d90 mm/page_alloc.c:3794
 __alloc_pages_nodemask+0x393/0x840 mm/page_alloc.c:4891
 alloc_slab_page+0x39/0x3c0 mm/slub.c:343
 allocate_slab mm/slub.c:1683 [inline]
 new_slab+0x97/0x440 mm/slub.c:1749
 new_slab_objects mm/slub.c:2505 [inline]
 ___slab_alloc+0x2fe/0x490 mm/slub.c:2667
 __slab_alloc+0x62/0xa0 mm/slub.c:2707
 slab_alloc_node mm/slub.c:2792 [inline]
 slab_alloc mm/slub.c:2837 [inline]
 kmem_cache_alloc+0x109/0x250 mm/slub.c:2842
 kmem_cache_alloc_node include/linux/slab.h:427 [inline]
 alloc_task_struct_node kernel/fork.c:171 [inline]
 dup_task_struct+0x4f/0x600 kernel/fork.c:882
 copy_process+0x56d/0x3230 kernel/fork.c:1889
 _do_fork+0x197/0x900 kernel/fork.c:2399
 kernel_thread+0x16a/0x1d0 kernel/fork.c:2489
 create_kthread kernel/kthread.c:311 [inline]
 kthreadd+0x3b1/0x4f0 kernel/kthread.c:654
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:354
page_owner free stack trace missing

Memory state around the buggy address:
 ffff8881d8a42e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff8881d8a42e80: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
>ffff8881d8a42f00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
                                                                ^
 ffff8881d8a42f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8881d8a43000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (145):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2024/03/26 18:23 android12-5.4 43a5ead9254d bcd9b39f .config strace log report syz [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: use-after-free Read in lo_open
2024/03/14 01:17 android12-5.4 43a5ead9254d f919f202 .config strace log report syz [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-android-5-4-kasan KASAN: use-after-free Read in lo_open
2024/03/12 17:13 android12-5.4 43a5ead9254d c35c26ec .config strace log report syz [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: use-after-free Read in lo_open
2024/03/10 05:19 android12-5.4 43a5ead9254d 6ee49f2e .config strace log report syz [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: use-after-free Read in lo_open
2024/03/08 20:47 android12-5.4 43a5ead9254d 8e75c913 .config strace log report syz [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: use-after-free Read in lo_open
2023/12/26 09:04 android12-5.4 c0585bc7c835 fb427a07 .config strace log report syz [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: use-after-free Read in lo_open
2023/12/03 16:07 android12-5.4 891e39829ab7 f819d6f7 .config console log report syz [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: use-after-free Read in lo_open
2023/11/05 17:13 android12-5.4 2ac128c04e33 500bfdc4 .config strace log report syz [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: use-after-free Read in lo_open
2023/10/29 17:47 android12-5.4 65fc90b61bc7 3c418d72 .config console log report syz [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: use-after-free Read in lo_open
2023/09/06 06:05 android12-5.4 50533a8b511b 0b6286dc .config strace log report syz [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: use-after-free Read in lo_open
2023/08/18 21:26 android12-5.4 effd75159534 acb1ba71 .config strace log report syz [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: use-after-free Read in lo_open
2023/07/02 11:58 android12-5.4 487daef44f9f bfc47836 .config strace log report syz [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: use-after-free Read in lo_open
2023/06/16 23:47 android12-5.4 39a9b92e9828 f3921d4d .config strace log report syz [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: use-after-free Read in lo_open
2023/05/03 12:06 android12-5.4 cf4e000017b8 48e0a81d .config strace log report syz [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: use-after-free Read in lo_open
2023/04/30 04:19 android12-5.4 d5ed2ca98e48 62df2017 .config strace log report syz [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: use-after-free Read in lo_open
2023/03/05 16:26 android12-5.4 250ac66f1853 f8902b57 .config strace log report syz [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: use-after-free Read in lo_open
2023/02/25 03:19 android12-5.4 66c3e3ab77a2 ee50e71c .config strace log report syz [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: use-after-free Read in lo_open
2023/02/07 13:48 android12-5.4 6a5ec6cea0cd 5bc3be51 .config strace log report syz [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: use-after-free Read in lo_open
2023/01/29 01:54 android12-5.4 ac6c87b5296b 9dfcf09c .config strace log report syz [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: use-after-free Read in lo_open
2022/12/29 08:16 android12-5.4 a8aad8851131 44712fbc .config strace log report syz [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: use-after-free Read in lo_open
2022/12/14 04:35 android12-5.4 a76dfbc99260 f6511626 .config strace log report syz [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: use-after-free Read in lo_open
2022/12/12 22:54 android12-5.4 d7e5d5321233 67be1ae7 .config strace log report syz [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: use-after-free Read in lo_open
2022/12/09 01:13 android12-5.4 d7e5d5321233 1034e5fa .config strace log report syz [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: use-after-free Read in lo_open
2024/03/26 16:47 android12-5.4 43a5ead9254d bcd9b39f .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: use-after-free Read in lo_open
2024/03/18 07:36 android12-5.4 43a5ead9254d d615901c .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: use-after-free Read in lo_open
2024/03/13 23:17 android12-5.4 43a5ead9254d f919f202 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: use-after-free Read in lo_open
2024/03/12 15:42 android12-5.4 43a5ead9254d c35c26ec .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: use-after-free Read in lo_open
2024/03/10 23:04 android12-5.4 43a5ead9254d 6ee49f2e .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: use-after-free Read in lo_open
2024/03/10 02:47 android12-5.4 43a5ead9254d 6ee49f2e .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: use-after-free Read in lo_open
2024/03/08 19:39 android12-5.4 43a5ead9254d 8e75c913 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: use-after-free Read in lo_open
2024/03/07 17:23 android12-5.4 50cb39f34248 2b789849 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: use-after-free Read in lo_open
2024/03/05 13:43 android12-5.4 50cb39f34248 5fc53669 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: use-after-free Read in lo_open
2024/03/05 03:42 android12-5.4 50cb39f34248 5fc53669 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: use-after-free Read in lo_open
2024/03/02 10:07 android12-5.4 50cb39f34248 25905f5d .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: use-after-free Read in lo_open
2024/03/01 18:38 android12-5.4 50cb39f34248 83acf9e0 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: use-after-free Read in lo_open
2024/02/29 12:25 android12-5.4 50cb39f34248 352ab904 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: use-after-free Read in lo_open
2024/02/14 01:38 android12-5.4 1b3143b9b166 e66542d7 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: use-after-free Read in lo_open
2024/02/11 02:35 android12-5.4 1b3143b9b166 77b23aa1 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: use-after-free Read in lo_open
2024/02/08 20:52 android12-5.4 1b3143b9b166 7f07e9b0 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: use-after-free Read in lo_open
2024/02/06 15:05 android12-5.4 bf4c80bc4358 6404acf9 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: use-after-free Read in lo_open
2024/02/03 03:26 android12-5.4 bf4c80bc4358 60bf9982 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: use-after-free Read in lo_open
2024/01/29 18:58 android12-5.4 4d7b888b5774 991a98f4 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: use-after-free Read in lo_open
2024/01/23 16:04 android12-5.4 9ca091c99214 1c0ecc51 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: use-after-free Read in lo_open
2024/01/21 09:52 android12-5.4 9ca091c99214 9bd8dcda .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: use-after-free Read in lo_open
2023/12/30 19:31 android12-5.4 c0585bc7c835 fb427a07 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: use-after-free Read in lo_open
2023/12/26 06:46 android12-5.4 c0585bc7c835 fb427a07 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: use-after-free Read in lo_open
2023/12/25 08:39 android12-5.4 c0585bc7c835 fb427a07 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: use-after-free Read in lo_open
2023/12/23 09:42 android12-5.4 c0585bc7c835 fb427a07 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: use-after-free Read in lo_open
2023/12/15 08:20 android12-5.4 8ff9dd882f11 3222d10c .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: use-after-free Read in lo_open
2023/12/03 13:37 android12-5.4 891e39829ab7 f819d6f7 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: use-after-free Read in lo_open
2023/12/01 00:16 android12-5.4 891e39829ab7 f819d6f7 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: use-after-free Read in lo_open
2023/11/06 11:00 android12-5.4 2ac128c04e33 500bfdc4 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: use-after-free Read in lo_open
2023/11/05 08:32 android12-5.4 2ac128c04e33 500bfdc4 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: use-after-free Read in lo_open
2023/10/28 18:55 android12-5.4 65fc90b61bc7 3c418d72 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: use-after-free Read in lo_open
2023/10/01 10:19 android12-5.4 5f1cbd78af59 8e26a358 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: use-after-free Read in lo_open
2023/09/23 11:02 android12-5.4 19cff29fe49c 0b6a67ac .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: use-after-free Read in lo_open
2023/09/17 00:35 android12-5.4 19cff29fe49c 0b6a67ac .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: use-after-free Read in lo_open
2023/09/08 11:26 android12-5.4 50533a8b511b 72324844 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: use-after-free Read in lo_open
2023/09/05 13:45 android12-5.4 50533a8b511b 0b6286dc .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: use-after-free Read in lo_open
2023/08/31 03:45 android12-5.4 c83e2462239e 84803932 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: use-after-free Read in lo_open
2023/08/29 12:47 android12-5.4 c83e2462239e 7ba13a15 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: use-after-free Read in lo_open
2023/08/23 03:59 android12-5.4 a14f43f0b97d b81ca3f6 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: use-after-free Read in lo_open
2023/08/19 10:26 android12-5.4 effd75159534 d216d8a0 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: use-after-free Read in lo_open
2023/08/18 19:30 android12-5.4 effd75159534 acb1ba71 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: use-after-free Read in lo_open
2023/08/18 01:32 android12-5.4 effd75159534 74b106b6 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: use-after-free Read in lo_open
2023/08/17 19:21 android12-5.4 effd75159534 74b106b6 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: use-after-free Read in lo_open
2022/12/05 22:47 android12-5.4 69181d148aef 045cbb84 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: use-after-free Read in lo_open
* Struck through repros no longer work on HEAD.