syzbot


KASAN: use-after-free Read in unmap_page_range

Status: closed as invalid on 2017/10/30 19:42
Reported-by: syzbot+697ff43218dc577cc7f81517ead5f4e299d75db8@syzkaller.appspotmail.com
First crash: 2664d, last: 2664d
Similar bugs (2)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream BUG: Bad page map (5) mm io-uring C 35 688d 946d 22/28 fixed on 2023/02/24 13:50
upstream KASAN: use-after-free Read in unmap_page_range (2) mm C unreliable 4 1109d 1127d 20/28 fixed on 2022/03/08 16:11

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in unmap_page_range+0x1dc7/0x22a0 mm/memory.c:1413
Read of size 8 at addr ffff880039dd0358 by task syz-executor6/12544

CPU: 0 PID: 12544 Comm: syz-executor6 Not tainted 4.13.0-rc5-next-20170816+ #4
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:16 [inline]
 dump_stack+0x194/0x257 lib/dump_stack.c:52
 print_address_description+0x73/0x250 mm/kasan/report.c:252
 kasan_report_error mm/kasan/report.c:351 [inline]
 kasan_report+0x24e/0x340 mm/kasan/report.c:409
 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:430
 unmap_page_range+0x1dc7/0x22a0 mm/memory.c:1413
 unmap_single_vma+0x15f/0x2d0 mm/memory.c:1463
 unmap_vmas+0xf1/0x1b0 mm/memory.c:1493
 exit_mmap+0x22a/0x560 mm/mmap.c:3004
 __mmput kernel/fork.c:905 [inline]
 mmput+0x223/0x6e0 kernel/fork.c:927
 copy_process.part.36+0x22e1/0x4af0 kernel/fork.c:1931
 copy_process kernel/fork.c:1546 [inline]
 _do_fork+0x1ef/0xfb0 kernel/fork.c:2025
 SYSC_clone kernel/fork.c:2135 [inline]
 SyS_clone+0x37/0x50 kernel/fork.c:2129
 do_syscall_64+0x26c/0x8c0 arch/x86/entry/common.c:287
 entry_SYSCALL64_slow_path+0x25/0x25
RIP: 0033:0x448ad9
RSP: 002b:00007ffd934b69c8 EFLAGS: 00000202 ORIG_RAX: 0000000000000038
RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 0000000000448ad9
RDX: 000000000000f8f8 RSI: 0000000000a5ffb0 RDI: 0000000074000000
RBP: 0000000000000006 R08: 00007ffd934b6920 R09: 00007ffd934b6920
R10: 000000000040d950 R11: 0000000000000202 R12: 0000000000000000
R13: 000000000040d8c0 R14: 000000000040d950 R15: 0000000000000000

The buggy address belongs to the page:
page:ffffea0000e77400 count:0 mapcount:-127 mapping:          (null) index:0x0
flags: 0x100000000000000()
raw: 0100000000000000 0000000000000000 0000000000000000 00000000ffffff80
raw: ffffea0000f625a0 ffffea0000ee6c60 0000000000000000 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff880039dd0200: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff880039dd0280: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff880039dd0300: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                                    ^
 ffff880039dd0380: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff880039dd0400: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2017/08/16 21:29 linux-next 5d51332f20b2 f93be584 .config console log report skylake-linux-next-kasan-qemu
* Struck through repros no longer work on HEAD.