syzbot


KASAN: use-after-free Read in __schedule

Status: auto-closed as invalid on 2020/07/28 03:17
Reported-by: syzbot+d78a0940e37a384dd5b8@syzkaller.appspotmail.com
First crash: 1509d, last: 1482d
Similar bugs (4)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: use-after-free Read in __schedule kvm C 145 2312d 2313d 4/26 fixed on 2018/02/14 17:41
linux-4.19 KASAN: use-after-free Read in __schedule 1 1146d 1146d 0/1 auto-closed as invalid on 2021/06/29 13:25
linux-4.19 KASAN: use-after-free Read in __schedule (2) 1 823d 823d 0/1 auto-closed as invalid on 2022/05/18 22:28
upstream KASAN: use-after-free Read in __schedule (2) kvm C done 961 1870d 2088d 13/26 fixed on 2019/11/20 22:01

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in schedule_debug kernel/sched/core.c:3883 [inline]
BUG: KASAN: use-after-free in __schedule+0xf6/0x1700 kernel/sched/core.c:4016
Read of size 8 at addr ffff8881867e8000 by task syz-executor.1/13471

CPU: 0 PID: 13471 Comm: syz-executor.1 Tainted: G        W         5.4.28-syzkaller-00758-g8398205ce446 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1b0/0x228 lib/dump_stack.c:118
 print_address_description+0x96/0x5d0 mm/kasan/report.c:374
 __kasan_report+0x14b/0x1c0 mm/kasan/report.c:506
 kasan_report+0x26/0x50 mm/kasan/common.c:634
 __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:132
 schedule_debug kernel/sched/core.c:3883 [inline]
 __schedule+0xf6/0x1700 kernel/sched/core.c:4016
 preempt_schedule_common kernel/sched/core.c:4232 [inline]
 preempt_schedule+0xcd/0x110 kernel/sched/core.c:4257
 ___preempt_schedule+0x16/0x20 arch/x86/entry/thunk_64.S:50
 __raw_read_unlock include/linux/rwlock_api_smp.h:227 [inline]
 _raw_read_unlock+0x2c/0x30 kernel/locking/spinlock.c:255
 security_compute_sid+0x122f/0x1be0 security/selinux/ss/services.c:1857
 security_transition_sid+0x7d/0x90 security/selinux/ss/services.c:1880
 selinux_determine_inode_label security/selinux/hooks.c:1805 [inline]
 may_create+0x5e0/0x930 security/selinux/hooks.c:1840
 selinux_inode_symlink+0x22/0x30 security/selinux/hooks.c:2975
 security_inode_symlink+0xa8/0x130 security/security.c:1140
 vfs_symlink2+0x2f1/0x4f0 fs/namei.c:4260
 do_symlinkat+0x1b6/0x3f0 fs/namei.c:4297
 __do_sys_symlink fs/namei.c:4316 [inline]
 __se_sys_symlink fs/namei.c:4314 [inline]
 __x64_sys_symlink+0x60/0x70 fs/namei.c:4314
 do_syscall_64+0xc0/0x100 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x45c577
Code: 0f 1f 00 b8 5c 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 6d b9 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 b8 58 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 4d b9 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffd375e5bb8 EFLAGS: 00000206 ORIG_RAX: 0000000000000058
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000045c577
RDX: 00007ffd375e5c53 RSI: 00000000004c2385 RDI: 00007ffd375e5c40
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000013
R10: 0000000000000075 R11: 0000000000000206 R12: 0000000000000001
R13: 00007ffd375e5bf0 R14: 0000000000000000 R15: 00007ffd375e5c00

The buggy address belongs to the page:
page:ffffea000619fa00 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0
flags: 0x8000000000000000()
raw: 8000000000000000 ffffea00065cfac8 ffff8881dba35ad0 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8881867e7f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8881867e7f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8881867e8000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                   ^
 ffff8881867e8080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff8881867e8100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================

Crashes (3):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2020/03/30 03:16 https://android.googlesource.com/kernel/common android-5.4 8398205ce446 05736b29 .config console log report ci2-android-5-4-kasan
2020/03/08 16:47 https://android.googlesource.com/kernel/common android-5.4 3334f0da669e 2e9971bb .config console log report ci2-android-5-4-kasan
2020/03/03 03:45 https://android.googlesource.com/kernel/common android-5.4 2c2101d18159 4a4e0509 .config console log report ci2-android-5-4-kasan
* Struck through repros no longer work on HEAD.