syzbot


KASAN: use-after-free Read in sg_release

Status: auto-closed as invalid on 2021/10/04 20:06
Reported-by: syzbot+@syzkaller.appspotmail.com
First crash: 489d, last: 489d

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in instrument_atomic_read include/linux/instrumented.h:71 [inline]
BUG: KASAN: use-after-free in atomic_long_read include/linux/atomic/atomic-instrumented.h:1183 [inline]
BUG: KASAN: use-after-free in __mutex_unlock_slowpath+0xa6/0x5e0 kernel/locking/mutex.c:1230
Read of size 8 at addr ffff88806efc2858 by task syz-executor.0/12440

CPU: 1 PID: 12440 Comm: syz-executor.0 Not tainted 5.14.0-rc3-next-20210730-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:105
 print_address_description.constprop.0.cold+0x6c/0x309 mm/kasan/report.c:256
 __kasan_report mm/kasan/report.c:442 [inline]
 kasan_report.cold+0x83/0xdf mm/kasan/report.c:459
 check_region_inline mm/kasan/generic.c:183 [inline]
 kasan_check_range+0x13d/0x180 mm/kasan/generic.c:189
 instrument_atomic_read include/linux/instrumented.h:71 [inline]
 atomic_long_read include/linux/atomic/atomic-instrumented.h:1183 [inline]
 __mutex_unlock_slowpath+0xa6/0x5e0 kernel/locking/mutex.c:1230
 sg_release+0x204/0x350 drivers/scsi/sg.c:405
 __fput+0x288/0x920 fs/file_table.c:280
 task_work_run+0xdd/0x1a0 kernel/task_work.c:164
 tracehook_notify_resume include/linux/tracehook.h:189 [inline]
 exit_to_user_mode_loop kernel/entry/common.c:175 [inline]
 exit_to_user_mode_prepare+0x27e/0x290 kernel/entry/common.c:209
 __syscall_exit_to_user_mode_work kernel/entry/common.c:291 [inline]
 syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:302
 do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x4193fb
Code: 0f 05 48 3d 00 f0 ff ff 77 45 c3 0f 1f 40 00 48 83 ec 18 89 7c 24 0c e8 63 fc ff ff 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 44 89 c7 89 44 24 0c e8 a1 fc ff ff 8b 44
RSP: 002b:00007ffcea9bbe30 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000004 RCX: 00000000004193fb
RDX: 0000000000000000 RSI: 00007fcacb587000 RDI: 0000000000000003
RBP: 0000000000000001 R08: 0000000000000000 R09: 0000001b31032294
R10: 0000000000000973 R11: 0000000000000293 R12: 000000000056cb00
R13: 000000000056cb00 R14: 000000000056bf80 R15: 000000000006d1e2

Allocated by task 8:
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38
 kasan_set_track mm/kasan/common.c:46 [inline]
 set_alloc_info mm/kasan/common.c:434 [inline]
 ____kasan_kmalloc mm/kasan/common.c:513 [inline]
 ____kasan_kmalloc mm/kasan/common.c:472 [inline]
 __kasan_kmalloc+0x9b/0xd0 mm/kasan/common.c:522
 kmalloc include/linux/slab.h:591 [inline]
 kzalloc include/linux/slab.h:721 [inline]
 sg_alloc drivers/scsi/sg.c:1446 [inline]
 sg_add_device+0x17f/0xc60 drivers/scsi/sg.c:1525
 device_add+0xece/0x21b0 drivers/base/core.c:3380
 scsi_sysfs_add_sdev+0x22b/0x730 drivers/scsi/scsi_sysfs.c:1362
 scsi_sysfs_add_devices drivers/scsi/scsi_scan.c:1725 [inline]
 scsi_finish_async_scan drivers/scsi/scsi_scan.c:1810 [inline]
 do_scan_async+0x210/0x500 drivers/scsi/scsi_scan.c:1853
 async_run_entry_fn+0x9d/0x550 kernel/async.c:127
 process_one_work+0x98d/0x1630 kernel/workqueue.c:2276
 worker_thread+0x658/0x11f0 kernel/workqueue.c:2422
 kthread+0x3e5/0x4d0 kernel/kthread.c:319
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295

Freed by task 9713:
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38
 kasan_set_track+0x1c/0x30 mm/kasan/common.c:46
 kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:360
 ____kasan_slab_free mm/kasan/common.c:366 [inline]
 ____kasan_slab_free mm/kasan/common.c:328 [inline]
 __kasan_slab_free+0xfb/0x130 mm/kasan/common.c:374
 kasan_slab_free include/linux/kasan.h:230 [inline]
 slab_free_hook mm/slub.c:1628 [inline]
 slab_free_freelist_hook+0xdf/0x240 mm/slub.c:1653
 slab_free mm/slub.c:3213 [inline]
 kfree+0xe4/0x530 mm/slub.c:4267
 kref_put include/linux/kref.h:65 [inline]
 sg_remove_sfp_usercontext+0x396/0x600 drivers/scsi/sg.c:2220
 process_one_work+0x98d/0x1630 kernel/workqueue.c:2276
 worker_thread+0x658/0x11f0 kernel/workqueue.c:2422
 kthread+0x3e5/0x4d0 kernel/kthread.c:319
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295

The buggy address belongs to the object at ffff88806efc2800
 which belongs to the cache kmalloc-512 of size 512
The buggy address is located 88 bytes inside of
 512-byte region [ffff88806efc2800, ffff88806efc2a00)
The buggy address belongs to the page:
page:ffffea0001bbf000 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88806efc2000 pfn:0x6efc0
head:ffffea0001bbf000 order:2 compound_mapcount:0 compound_pincount:0
flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000010200 ffffea0000557208 ffffea0001f6f808 ffff888010841c80
raw: ffff88806efc2000 000000000010000f 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd2a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 13, ts 124646309898, free_ts 80349819883
 prep_new_page mm/page_alloc.c:2424 [inline]
 get_page_from_freelist+0xa72/0x2f80 mm/page_alloc.c:4152
 __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5374
 alloc_pages+0x1a3/0x2d0 mm/mempolicy.c:2174
 alloc_slab_page mm/slub.c:1691 [inline]
 allocate_slab+0x32e/0x4b0 mm/slub.c:1831
 new_slab mm/slub.c:1894 [inline]
 new_slab_objects mm/slub.c:2640 [inline]
 ___slab_alloc+0x4ba/0x820 mm/slub.c:2803
 __slab_alloc.constprop.0+0xa7/0xf0 mm/slub.c:2843
 slab_alloc_node mm/slub.c:2925 [inline]
 __kmalloc_node_track_caller+0x2e3/0x360 mm/slub.c:4653
 kmalloc_reserve net/core/skbuff.c:355 [inline]
 __alloc_skb+0xde/0x340 net/core/skbuff.c:426
 __napi_alloc_skb+0x70/0x310 net/core/skbuff.c:567
 napi_alloc_skb include/linux/skbuff.h:2933 [inline]
 page_to_skb+0x1b3/0xc60 drivers/net/virtio_net.c:442
 receive_mergeable drivers/net/virtio_net.c:1031 [inline]
 receive_buf+0x338e/0x6380 drivers/net/virtio_net.c:1141
 virtnet_receive drivers/net/virtio_net.c:1433 [inline]
 virtnet_poll+0x5bf/0x11c0 drivers/net/virtio_net.c:1542
 __napi_poll+0xaf/0x440 net/core/dev.c:7065
 napi_poll net/core/dev.c:7132 [inline]
 net_rx_action+0x801/0xb40 net/core/dev.c:7219
 __do_softirq+0x29b/0x9c2 kernel/softirq.c:558
 run_ksoftirqd kernel/softirq.c:920 [inline]
 run_ksoftirqd+0x2d/0x60 kernel/softirq.c:912
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1338 [inline]
 free_pcp_prepare+0x373/0x860 mm/page_alloc.c:1389
 free_unref_page_prepare mm/page_alloc.c:3315 [inline]
 free_unref_page+0x19/0x690 mm/page_alloc.c:3394
 unfreeze_partials+0x17c/0x1d0 mm/slub.c:2421
 put_cpu_partial+0x13d/0x230 mm/slub.c:2457
 qlink_free mm/kasan/quarantine.c:146 [inline]
 qlist_free_all+0x5a/0xc0 mm/kasan/quarantine.c:165
 kasan_quarantine_reduce+0x180/0x200 mm/kasan/quarantine.c:272
 __kasan_slab_alloc+0x8e/0xa0 mm/kasan/common.c:444
 kasan_slab_alloc include/linux/kasan.h:254 [inline]
 slab_post_alloc_hook mm/slab.h:519 [inline]
 slab_alloc_node mm/slub.c:2959 [inline]
 kmem_cache_alloc_node+0x266/0x3e0 mm/slub.c:2995
 __alloc_skb+0x20b/0x340 net/core/skbuff.c:414
 alloc_skb_fclone include/linux/skbuff.h:1166 [inline]
 sk_stream_alloc_skb+0x109/0xc30 net/ipv4/tcp.c:887
 tcp_sendmsg_locked+0xc78/0x2f10 net/ipv4/tcp.c:1309
 tcp_sendmsg+0x2b/0x40 net/ipv4/tcp.c:1461
 inet_sendmsg+0x99/0xe0 net/ipv4/af_inet.c:821
 sock_sendmsg_nosec net/socket.c:704 [inline]
 sock_sendmsg+0xcf/0x120 net/socket.c:724
 sock_write_iter+0x289/0x3c0 net/socket.c:1057
 call_write_iter include/linux/fs.h:2152 [inline]
 new_sync_write+0x426/0x650 fs/read_write.c:518

Memory state around the buggy address:
 ffff88806efc2700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88806efc2780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88806efc2800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                    ^
 ffff88806efc2880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88806efc2900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (1):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-upstream-linux-next-kasan-gce-root 2021/08/05 19:57 linux-next 8d4b477da1a8 d2d6e680 .config log report info KASAN: use-after-free Read in sg_release
* Struck through repros no longer work on HEAD.