syzbot


KASAN: use-after-free Read in relay_switch_subbuf

Status: upstream: reported C repro on 2018/09/26 07:41
Reported-by: syzbot+29093015c21333d1c46d@syzkaller.appspotmail.com
First crash: 1376d, last: 1d04h

Cause bisection: introduced by (bisect log) :
commit 21c75ad65f8e5213ec542d99c259ffe3e3671e81
Author: YueHaibing <yuehaibing@huawei.com>
Date: Thu Mar 21 08:26:28 2019 +0000

  parport_cs: Fix memory leak in parport_config

Crash: KASAN: use-after-free Read in relay_switch_subbuf (log)
Repro: C syz .config

Fix bisection: failed (bisect log)
similar bugs (9):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.19 KASAN: use-after-free Read in relay_switch_subbuf 10 737d 1161d 0/1 auto-closed as invalid on 2020/10/24 01:02
linux-4.14 KASAN: use-after-free Read in relay_switch_subbuf C done unreliable 4 601d 970d 0/1 upstream: reported C repro on 2019/11/05 17:36
linux-4.19 KASAN: use-after-free Read in relay_switch_subbuf (2) 8 7d16h 258d 0/1 upstream: reported on 2021/10/17 18:33
linux-4.14 general protection fault in relay_switch_subbuf 2 828d 921d 0/1 auto-closed as invalid on 2020/07/25 03:12
upstream general protection fault in relay_switch_subbuf 4 1255d 1227d 0/22 auto-closed as invalid on 2019/07/23 22:29
upstream general protection fault in relay_switch_subbuf (2) 1 1068d 1059d 0/22 auto-closed as invalid on 2019/10/25 14:11
upstream general protection fault in relay_switch_subbuf (3) 1 975d 975d 0/22 auto-closed as invalid on 2020/01/29 10:20
linux-4.19 general protection fault in relay_switch_subbuf 1 1050d 1050d 0/1 auto-closed as invalid on 2019/12/15 08:14
linux-4.19 general protection fault in relay_switch_subbuf (2) 1 747d 747d 0/1 auto-closed as invalid on 2020/10/13 07:52
Patch testing requests:
Created Duration User Patch Repo Result
2021/03/15 02:41 18m ducheng2@gmail.com upstream OK

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in d_inode include/linux/dcache.h:515 [inline]
BUG: KASAN: use-after-free in relay_switch_subbuf+0x27a/0x630 kernel/relay.c:755
Read of size 8 at addr ffff8880aa0ce4f8 by task kworker/0:2/2908

CPU: 0 PID: 2908 Comm: kworker/0:2 Not tainted 5.4.0-rc6+ #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events __blk_release_queue
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1fb/0x318 lib/dump_stack.c:118
 print_address_description+0x75/0x5c0 mm/kasan/report.c:374
 __kasan_report+0x14b/0x1c0 mm/kasan/report.c:506
 kasan_report+0x26/0x50 mm/kasan/common.c:634
 __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:132
 d_inode include/linux/dcache.h:515 [inline]
 relay_switch_subbuf+0x27a/0x630 kernel/relay.c:755
 relay_flush+0x1ff/0x2e0 kernel/relay.c:883
 __blk_trace_startstop kernel/trace/blktrace.c:662 [inline]
 blk_trace_shutdown+0x203/0x260 kernel/trace/blktrace.c:746
 __blk_release_queue+0x244/0x2e0 block/blk-sysfs.c:904
 process_one_work+0x7ef/0x10e0 kernel/workqueue.c:2269
 worker_thread+0xc01/0x1630 kernel/workqueue.c:2415
 kthread+0x332/0x350 kernel/kthread.c:255
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352

Allocated by task 7879:
 save_stack mm/kasan/common.c:69 [inline]
 set_track mm/kasan/common.c:77 [inline]
 __kasan_kmalloc+0x11c/0x1b0 mm/kasan/common.c:510
 kasan_slab_alloc+0xf/0x20 mm/kasan/common.c:518
 slab_post_alloc_hook mm/slab.h:584 [inline]
 slab_alloc mm/slab.c:3319 [inline]
 kmem_cache_alloc+0x1f5/0x2e0 mm/slab.c:3483
 __d_alloc+0x2d/0x6e0 fs/dcache.c:1688
 d_alloc fs/dcache.c:1767 [inline]
 d_alloc_parallel+0x7f/0x1430 fs/dcache.c:2519
 __lookup_slow+0xa7/0x380 fs/namei.c:1646
 lookup_one_len+0x123/0x220 fs/namei.c:2533
 start_creating+0xd3/0x270 fs/debugfs/inode.c:339
 __debugfs_create_file+0x75/0x470 fs/debugfs/inode.c:384
 debugfs_create_file+0x4a/0x60 fs/debugfs/inode.c:441
 blk_create_buf_file_callback+0x34/0x40 kernel/trace/blktrace.c:444
 relay_create_buf_file kernel/relay.c:428 [inline]
 relay_open_buf+0x5cb/0xd60 kernel/relay.c:457
 relay_open+0x491/0x970 kernel/relay.c:599
 do_blk_trace_setup+0x4b9/0xaa0 kernel/trace/blktrace.c:526
 __blk_trace_setup kernel/trace/blktrace.c:571 [inline]
 blk_trace_ioctl+0x24c/0x7d0 kernel/trace/blktrace.c:710
 blkdev_ioctl+0x134a/0x2980 block/ioctl.c:592
 block_ioctl+0xbd/0x100 fs/block_dev.c:1954
 do_vfs_ioctl+0x744/0x1730 fs/ioctl.c:46
 ksys_ioctl fs/ioctl.c:713 [inline]
 __do_sys_ioctl fs/ioctl.c:720 [inline]
 __se_sys_ioctl fs/ioctl.c:718 [inline]
 __x64_sys_ioctl+0xe3/0x120 fs/ioctl.c:718
 do_syscall_64+0xf7/0x1c0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 0:
 save_stack mm/kasan/common.c:69 [inline]
 set_track mm/kasan/common.c:77 [inline]
 kasan_set_free_info mm/kasan/common.c:332 [inline]
 __kasan_slab_free+0x12a/0x1e0 mm/kasan/common.c:471
 kasan_slab_free+0xe/0x10 mm/kasan/common.c:480
 __cache_free mm/slab.c:3425 [inline]
 kmem_cache_free+0x81/0xf0 mm/slab.c:3693
 __d_free+0x20/0x30 fs/dcache.c:271
 __rcu_reclaim kernel/rcu/rcu.h:222 [inline]
 rcu_do_batch kernel/rcu/tree.c:2157 [inline]
 rcu_core+0x843/0x1050 kernel/rcu/tree.c:2377
 rcu_core_si+0x9/0x10 kernel/rcu/tree.c:2386
 __do_softirq+0x333/0x7c4 arch/x86/include/asm/paravirt.h:766

The buggy address belongs to the object at ffff8880aa0ce4a0
 which belongs to the cache dentry(17:syz0) of size 288
The buggy address is located 88 bytes inside of
 288-byte region [ffff8880aa0ce4a0, ffff8880aa0ce5c0)
The buggy address belongs to the page:
page:ffffea0002a83380 refcount:1 mapcount:0 mapping:ffff8880910e3e00 index:0x0
flags: 0x1fffc0000000200(slab)
raw: 01fffc0000000200 ffffea0002a82188 ffffea0002a81cc8 ffff8880910e3e00
raw: 0000000000000000 ffff8880aa0ce080 000000010000000b 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8880aa0ce380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8880aa0ce400: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
>ffff8880aa0ce480: fc fc fc fc fb fb fb fb fb fb fb fb fb fb fb fb
                                                                ^
 ffff8880aa0ce500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8880aa0ce580: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
==================================================================

Crashes (72):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-upstream-kasan-gce-smack-root 2019/11/08 16:33 upstream 847120f859cc 1e35461e .config log report syz C
ci-upstream-kasan-gce 2019/11/06 07:57 upstream 26bc67213424 bc2c6e45 .config log report syz C
ci-upstream-linux-next-kasan-gce-root 2019/11/25 22:25 linux-next c165016bac27 371caf77 .config log report syz C
ci-upstream-kasan-gce-root 2022/07/01 23:28 upstream a175eca0f3d7 1434eec0 .config log report info KASAN: use-after-free Read in relay_switch_subbuf
ci-upstream-kasan-gce-selinux-root 2022/06/16 16:25 upstream 30306f6194ca 1719ee24 .config log report info KASAN: use-after-free Read in relay_switch_subbuf
ci-upstream-kasan-gce-smack-root 2022/06/13 14:41 upstream b13baccc3850 0d5abf15 .config log report info KASAN: use-after-free Read in relay_switch_subbuf
ci-upstream-kasan-gce-root 2022/05/19 06:04 upstream f993aed406ea 50c53f39 .config log report info KASAN: use-after-free Read in relay_switch_subbuf
ci-upstream-kasan-gce-smack-root 2022/01/31 01:39 upstream 24f4db1f3a27 495e00c5 .config log report info KASAN: use-after-free Read in relay_switch_subbuf
ci-upstream-kasan-gce-root 2022/01/28 20:56 upstream df0001545b27 495e00c5 .config log report info KASAN: use-after-free Read in relay_switch_subbuf
ci-upstream-kasan-gce-root 2021/11/23 21:30 upstream 136057256686 545ab074 .config log report info KASAN: use-after-free Read in relay_switch_subbuf
ci-upstream-kasan-gce-selinux-root 2022/02/07 03:50 upstream d8ad2ce873ab a7dab638 .config log report info general protection fault in relay_switch_subbuf
ci-upstream-kasan-gce 2020/02/09 23:30 upstream d1ea35f4cdd4 35f5e45e .config log report
ci-upstream-kasan-gce-selinux-root 2019/12/29 22:50 upstream a99efa00891b af6b8ef8 .config log report
ci-upstream-kasan-gce-selinux-root 2019/11/17 19:36 upstream fe30021c36fb d5696d51 .config log report
ci-upstream-kasan-gce-root 2019/10/29 18:01 upstream 8005803a2ca0 5ea87a66 .config log report
ci-upstream-kasan-gce-smack-root 2019/10/21 15:07 upstream 7d194c2100ad b24d2b8a .config log report
ci-upstream-kasan-gce 2019/10/17 02:11 upstream bc88f85c6c09 8c88c9c1 .config log report
ci-upstream-kasan-gce 2019/10/16 16:06 upstream 3b1f00aceb7a d4ea592f .config log report
ci-upstream-kasan-gce 2019/10/01 02:11 upstream 54ecb8f7028c c7a4fb99 .config log report
ci-upstream-kasan-gce 2019/09/25 16:43 upstream 351c8a09b00b a3355dba .config log report
ci-upstream-kasan-gce 2019/09/16 07:31 upstream 4d856f72c10e 32d59357 .config log report
ci-upstream-kasan-gce-root 2019/09/14 11:35 upstream a7f89616b737 32d59357 .config log report
ci-upstream-kasan-gce-selinux-root 2019/09/12 03:51 upstream 3120b9a6a3f7 f4e53c10 .config log report
ci-upstream-kasan-gce 2019/09/08 01:43 upstream b3a9964cfa69 a60cb4cd .config log report
ci-upstream-kasan-gce-root 2019/08/31 22:24 upstream eea173097dfb bad3cce2 .config log report
ci-upstream-kasan-gce 2019/08/31 10:53 upstream 6525771f58cb fd37b39e .config log report
ci-upstream-kasan-gce 2019/08/31 05:22 upstream 6525771f58cb fd37b39e .config log report
ci-upstream-kasan-gce 2019/08/30 22:35 upstream 6525771f58cb fd37b39e .config log report
ci-upstream-kasan-gce-selinux-root 2019/08/30 08:37 upstream 6525771f58cb fd37b39e .config log report
ci-upstream-kasan-gce 2019/08/30 05:38 upstream 6525771f58cb fd37b39e .config log report
ci-upstream-kasan-gce 2019/08/26 22:37 upstream a55aa89aab90 d21c5d9d .config log report
ci-upstream-kasan-gce 2019/08/26 19:46 upstream a55aa89aab90 d21c5d9d .config log report
ci-upstream-kasan-gce 2019/08/18 13:31 upstream 8fde2832bd0b 55bf8926 .config log report
ci-upstream-kasan-gce-root 2019/08/17 11:49 upstream 6e625a1a3f47 8fd428a1 .config log report
ci-upstream-kasan-gce 2019/08/13 10:40 upstream d45331b00ddb 8620c2c2 .config log report
ci-upstream-kasan-gce 2019/08/06 01:19 upstream e21a712a9685 6affd8e8 .config log report
ci-upstream-kasan-gce 2019/08/04 16:16 upstream d8778f13b73f 6affd8e8 .config log report
ci-upstream-kasan-gce-selinux-root 2019/08/03 17:57 upstream dcb8cfbd8fe9 6affd8e8 .config log report
ci-upstream-kasan-gce 2019/08/03 13:19 upstream 755f1fed27f4 6affd8e8 .config log report
ci-upstream-kasan-gce 2019/08/02 22:14 upstream 755f1fed27f4 6affd8e8 .config log report
ci-upstream-kasan-gce 2019/08/02 19:43 upstream 1e78030e5e5b 835dffe7 .config log report
ci-upstream-kasan-gce 2019/08/02 16:41 upstream 1e78030e5e5b 835dffe7 .config log report
ci-upstream-kasan-gce-root 2019/06/23 03:05 upstream abf02e2964b3 34bf9440 .config log report
ci-upstream-kasan-gce 2019/06/22 19:51 upstream abf02e2964b3 34bf9440 .config log report
ci-upstream-kasan-gce-selinux-root 2019/06/12 03:12 upstream aa7235483a83 ea2f4006 .config log report
ci-upstream-kasan-gce 2019/06/10 14:22 upstream d1fdb6d8f6a4 0159583c .config log report
ci-upstream-kasan-gce-smack-root 2019/05/04 04:57 upstream a4ccb5f9dc6c d28f4ce5 .config log report
ci-upstream-kasan-gce 2019/05/04 03:42 upstream a4ccb5f9dc6c d28f4ce5 .config log report
ci-upstream-kasan-gce 2019/04/30 16:17 upstream 83a50840e72a 20f16bef .config log report
ci-upstream-kasan-gce 2019/04/25 10:55 upstream cd8dead0c394 8e3c52b1 .config log report
ci-upstream-kasan-gce-selinux-root 2019/04/17 16:02 upstream 444fe9913539 b0e8efcb .config log report
ci-upstream-kasan-gce 2019/04/16 18:27 upstream 618d919cae2f 505ab413 .config log report
ci-upstream-kasan-gce 2019/04/12 12:20 upstream 2d06b235815e 8916f5e1 .config log report
ci-upstream-kasan-gce 2019/04/07 08:39 upstream faac51ddac45 c34fde03 .config log report
ci-upstream-kasan-gce 2019/03/12 01:03 upstream a089e4fed5c5 12365b99 .config log report
ci-upstream-kasan-gce-root 2019/02/20 01:36 upstream 40e196a906d9 4df543c9 .config log report
ci-upstream-kasan-gce 2019/02/08 14:05 upstream 74e96711e337 aa4feb03 .config log report
ci-upstream-kasan-gce 2019/01/28 13:30 upstream f17b5f06cb92 629c2a27 .config log report
ci-upstream-kasan-gce-smack-root 2019/01/27 13:27 upstream ba6069759381 c73f090a .config log report
ci-upstream-kasan-gce 2019/01/16 08:30 upstream 7939f8beecf1 b47fa78d .config log report
ci-upstream-kasan-gce 2018/12/30 04:44 upstream 195303136f19 35e3f847 .config log report
ci-upstream-kasan-gce 2018/12/20 04:24 upstream ab63e725b49c 02e69052 .config log report
ci-upstream-kasan-gce-root 2018/12/01 22:15 upstream d8f190ee836a 5a581673 .config log report
ci-upstream-kasan-gce 2018/11/12 07:35 upstream e12e00e388de 7b5f8621 .config log report
ci-upstream-kasan-gce-root 2018/11/03 11:13 upstream 5f21585384a4 8bd6bd63 .config log report
ci-upstream-kasan-gce-root 2018/10/20 07:12 upstream c7b70a641df2 ecb386fe .config log report
ci-upstream-kasan-gce-selinux-root 2018/10/02 20:33 upstream 1d2ba7fee28b a316a2af .config log report
ci-upstream-kasan-gce-smack-root 2018/09/25 10:16 upstream 2dd68cc7fd8c 0e7547d7 .config log report
ci-upstream-kasan-gce-386 2020/04/15 22:34 upstream 8632e9b5645b 3f3c5574 .config log report
ci-upstream-kasan-gce-386 2019/04/16 00:25 upstream 5512320c9f6f 505ab413 .config log report
ci-upstream-linux-next-kasan-gce-root 2019/03/03 10:31 linux-next c63e9e91a254 1c0e457a .config log report