KASAN: use-after-free Read in relay_switch

KASAN: use-after-free Read in relay_switch_subbuf
Status: upstream: reported C repro on 2018/09/26 07:41
Reported-by: syzbot+29093015c21333d1c46d@syzkaller.appspotmail.com
First crash: 1220d, last: 65d

Cause bisection: introduced by (bisect log) :
commit 21c75ad65f8e5213ec542d99c259ffe3e3671e81
Author: YueHaibing <yuehaibing@huawei.com>
Date: Thu Mar 21 08:26:28 2019 +0000

parport_cs: Fix memory leak in parport_config

Crash: KASAN: use-after-free Read in relay_switch_subbuf (log)
Repro: C syz .config

Fix bisection: failed (bisect log)

similar bugs (3):
Kernel	Title	Repro	Cause bisect	Fix bisect	Count	Last	Reported	Patched	Status
linux-4.19	KASAN: use-after-free Read in relay_switch_subbuf				10	581d	1005d	0/1	auto-closed as invalid on 2020/10/24 01:02
linux-4.14	KASAN: use-after-free Read in relay_switch_subbuf	C	done	unreliable	4	445d	814d	0/1	upstream: reported C repro on 2019/11/05 17:36
linux-4.19	KASAN: use-after-free Read in relay_switch_subbuf (2)				4	1d12h	102d	0/1	upstream: reported on 2021/10/17 18:33

Patch testing requests:
Created	Duration	User	Patch	Repo	Result
2021/03/15 02:41	18m	ducheng2@gmail.com		upstream	OK

Sample crash report:

==================================================================
BUG: KASAN: use-after-free in d_inode include/linux/dcache.h:515 [inline]
BUG: KASAN: use-after-free in relay_switch_subbuf+0x27a/0x630 kernel/relay.c:755
Read of size 8 at addr ffff8880aa0ce4f8 by task kworker/0:2/2908

CPU: 0 PID: 2908 Comm: kworker/0:2 Not tainted 5.4.0-rc6+ #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events __blk_release_queue
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1fb/0x318 lib/dump_stack.c:118
 print_address_description+0x75/0x5c0 mm/kasan/report.c:374
 __kasan_report+0x14b/0x1c0 mm/kasan/report.c:506
 kasan_report+0x26/0x50 mm/kasan/common.c:634
 __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:132
 d_inode include/linux/dcache.h:515 [inline]
 relay_switch_subbuf+0x27a/0x630 kernel/relay.c:755
 relay_flush+0x1ff/0x2e0 kernel/relay.c:883
 __blk_trace_startstop kernel/trace/blktrace.c:662 [inline]
 blk_trace_shutdown+0x203/0x260 kernel/trace/blktrace.c:746
 __blk_release_queue+0x244/0x2e0 block/blk-sysfs.c:904
 process_one_work+0x7ef/0x10e0 kernel/workqueue.c:2269
 worker_thread+0xc01/0x1630 kernel/workqueue.c:2415
 kthread+0x332/0x350 kernel/kthread.c:255
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352

Allocated by task 7879:
 save_stack mm/kasan/common.c:69 [inline]
 set_track mm/kasan/common.c:77 [inline]
 __kasan_kmalloc+0x11c/0x1b0 mm/kasan/common.c:510
 kasan_slab_alloc+0xf/0x20 mm/kasan/common.c:518
 slab_post_alloc_hook mm/slab.h:584 [inline]
 slab_alloc mm/slab.c:3319 [inline]
 kmem_cache_alloc+0x1f5/0x2e0 mm/slab.c:3483
 __d_alloc+0x2d/0x6e0 fs/dcache.c:1688
 d_alloc fs/dcache.c:1767 [inline]
 d_alloc_parallel+0x7f/0x1430 fs/dcache.c:2519
 __lookup_slow+0xa7/0x380 fs/namei.c:1646
 lookup_one_len+0x123/0x220 fs/namei.c:2533
 start_creating+0xd3/0x270 fs/debugfs/inode.c:339
 __debugfs_create_file+0x75/0x470 fs/debugfs/inode.c:384
 debugfs_create_file+0x4a/0x60 fs/debugfs/inode.c:441
 blk_create_buf_file_callback+0x34/0x40 kernel/trace/blktrace.c:444
 relay_create_buf_file kernel/relay.c:428 [inline]
 relay_open_buf+0x5cb/0xd60 kernel/relay.c:457
 relay_open+0x491/0x970 kernel/relay.c:599
 do_blk_trace_setup+0x4b9/0xaa0 kernel/trace/blktrace.c:526
 __blk_trace_setup kernel/trace/blktrace.c:571 [inline]
 blk_trace_ioctl+0x24c/0x7d0 kernel/trace/blktrace.c:710
 blkdev_ioctl+0x134a/0x2980 block/ioctl.c:592
 block_ioctl+0xbd/0x100 fs/block_dev.c:1954
 do_vfs_ioctl+0x744/0x1730 fs/ioctl.c:46
 ksys_ioctl fs/ioctl.c:713 [inline]
 __do_sys_ioctl fs/ioctl.c:720 [inline]
 __se_sys_ioctl fs/ioctl.c:718 [inline]
 __x64_sys_ioctl+0xe3/0x120 fs/ioctl.c:718
 do_syscall_64+0xf7/0x1c0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 0:
 save_stack mm/kasan/common.c:69 [inline]
 set_track mm/kasan/common.c:77 [inline]
 kasan_set_free_info mm/kasan/common.c:332 [inline]
 __kasan_slab_free+0x12a/0x1e0 mm/kasan/common.c:471
 kasan_slab_free+0xe/0x10 mm/kasan/common.c:480
 __cache_free mm/slab.c:3425 [inline]
 kmem_cache_free+0x81/0xf0 mm/slab.c:3693
 __d_free+0x20/0x30 fs/dcache.c:271
 __rcu_reclaim kernel/rcu/rcu.h:222 [inline]
 rcu_do_batch kernel/rcu/tree.c:2157 [inline]
 rcu_core+0x843/0x1050 kernel/rcu/tree.c:2377
 rcu_core_si+0x9/0x10 kernel/rcu/tree.c:2386
 __do_softirq+0x333/0x7c4 arch/x86/include/asm/paravirt.h:766

The buggy address belongs to the object at ffff8880aa0ce4a0
 which belongs to the cache dentry(17:syz0) of size 288
The buggy address is located 88 bytes inside of
 288-byte region [ffff8880aa0ce4a0, ffff8880aa0ce5c0)
The buggy address belongs to the page:
page:ffffea0002a83380 refcount:1 mapcount:0 mapping:ffff8880910e3e00 index:0x0
flags: 0x1fffc0000000200(slab)
raw: 01fffc0000000200 ffffea0002a82188 ffffea0002a81cc8 ffff8880910e3e00
raw: 0000000000000000 ffff8880aa0ce080 000000010000000b 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8880aa0ce380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8880aa0ce400: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
>ffff8880aa0ce480: fc fc fc fc fb fb fb fb fb fb fb fb fb fb fb fb
                                                                ^
 ffff8880aa0ce500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8880aa0ce580: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
==================================================================

Crashes (64):
Manager	Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	VM info	Title
ci-upstream-kasan-gce-smack-root	2019/11/08 16:33	upstream	847120f859cc	1e35461e	.config	log	report	syz	C
ci-upstream-kasan-gce	2019/11/06 07:57	upstream	26bc67213424	bc2c6e45	.config	log	report	syz	C
ci-upstream-linux-next-kasan-gce-root	2019/11/25 22:25	linux-next	c165016bac27	371caf77	.config	log	report	syz	C
ci-upstream-kasan-gce-root	2021/11/23 21:30	upstream	136057256686	545ab074	.config	log	report			info	KASAN: use-after-free Read in relay_switch_subbuf
ci-upstream-kasan-gce	2020/02/09 23:30	upstream	d1ea35f4cdd4	35f5e45e	.config	log	report
ci-upstream-kasan-gce-selinux-root	2019/12/29 22:50	upstream	a99efa00891b	af6b8ef8	.config	log	report
ci-upstream-kasan-gce-selinux-root	2019/11/17 19:36	upstream	fe30021c36fb	d5696d51	.config	log	report
ci-upstream-kasan-gce-root	2019/10/29 18:01	upstream	8005803a2ca0	5ea87a66	.config	log	report
ci-upstream-kasan-gce-smack-root	2019/10/21 15:07	upstream	7d194c2100ad	b24d2b8a	.config	log	report
ci-upstream-kasan-gce	2019/10/17 02:11	upstream	bc88f85c6c09	8c88c9c1	.config	log	report
ci-upstream-kasan-gce	2019/10/16 16:06	upstream	3b1f00aceb7a	d4ea592f	.config	log	report
ci-upstream-kasan-gce	2019/10/01 02:11	upstream	54ecb8f7028c	c7a4fb99	.config	log	report
ci-upstream-kasan-gce	2019/09/25 16:43	upstream	351c8a09b00b	a3355dba	.config	log	report
ci-upstream-kasan-gce	2019/09/16 07:31	upstream	4d856f72c10e	32d59357	.config	log	report
ci-upstream-kasan-gce-root	2019/09/14 11:35	upstream	a7f89616b737	32d59357	.config	log	report
ci-upstream-kasan-gce-selinux-root	2019/09/12 03:51	upstream	3120b9a6a3f7	f4e53c10	.config	log	report
ci-upstream-kasan-gce	2019/09/08 01:43	upstream	b3a9964cfa69	a60cb4cd	.config	log	report
ci-upstream-kasan-gce-root	2019/08/31 22:24	upstream	eea173097dfb	bad3cce2	.config	log	report
ci-upstream-kasan-gce	2019/08/31 10:53	upstream	6525771f58cb	fd37b39e	.config	log	report
ci-upstream-kasan-gce	2019/08/31 05:22	upstream	6525771f58cb	fd37b39e	.config	log	report
ci-upstream-kasan-gce	2019/08/30 22:35	upstream	6525771f58cb	fd37b39e	.config	log	report
ci-upstream-kasan-gce-selinux-root	2019/08/30 08:37	upstream	6525771f58cb	fd37b39e	.config	log	report
ci-upstream-kasan-gce	2019/08/30 05:38	upstream	6525771f58cb	fd37b39e	.config	log	report
ci-upstream-kasan-gce	2019/08/26 22:37	upstream	a55aa89aab90	d21c5d9d	.config	log	report
ci-upstream-kasan-gce	2019/08/26 19:46	upstream	a55aa89aab90	d21c5d9d	.config	log	report
ci-upstream-kasan-gce	2019/08/18 13:31	upstream	8fde2832bd0b	55bf8926	.config	log	report
ci-upstream-kasan-gce-root	2019/08/17 11:49	upstream	6e625a1a3f47	8fd428a1	.config	log	report
ci-upstream-kasan-gce	2019/08/13 10:40	upstream	d45331b00ddb	8620c2c2	.config	log	report
ci-upstream-kasan-gce	2019/08/06 01:19	upstream	e21a712a9685	6affd8e8	.config	log	report
ci-upstream-kasan-gce	2019/08/04 16:16	upstream	d8778f13b73f	6affd8e8	.config	log	report
ci-upstream-kasan-gce-selinux-root	2019/08/03 17:57	upstream	dcb8cfbd8fe9	6affd8e8	.config	log	report
ci-upstream-kasan-gce	2019/08/03 13:19	upstream	755f1fed27f4	6affd8e8	.config	log	report
ci-upstream-kasan-gce	2019/08/02 22:14	upstream	755f1fed27f4	6affd8e8	.config	log	report
ci-upstream-kasan-gce	2019/08/02 19:43	upstream	1e78030e5e5b	835dffe7	.config	log	report
ci-upstream-kasan-gce	2019/08/02 16:41	upstream	1e78030e5e5b	835dffe7	.config	log	report
ci-upstream-kasan-gce-root	2019/06/23 03:05	upstream	abf02e2964b3	34bf9440	.config	log	report
ci-upstream-kasan-gce	2019/06/22 19:51	upstream	abf02e2964b3	34bf9440	.config	log	report
ci-upstream-kasan-gce-selinux-root	2019/06/12 03:12	upstream	aa7235483a83	ea2f4006	.config	log	report
ci-upstream-kasan-gce	2019/06/10 14:22	upstream	d1fdb6d8f6a4	0159583c	.config	log	report
ci-upstream-kasan-gce-smack-root	2019/05/04 04:57	upstream	a4ccb5f9dc6c	d28f4ce5	.config	log	report
ci-upstream-kasan-gce	2019/05/04 03:42	upstream	a4ccb5f9dc6c	d28f4ce5	.config	log	report
ci-upstream-kasan-gce	2019/04/30 16:17	upstream	83a50840e72a	20f16bef	.config	log	report
ci-upstream-kasan-gce	2019/04/25 10:55	upstream	cd8dead0c394	8e3c52b1	.config	log	report
ci-upstream-kasan-gce-selinux-root	2019/04/17 16:02	upstream	444fe9913539	b0e8efcb	.config	log	report
ci-upstream-kasan-gce	2019/04/16 18:27	upstream	618d919cae2f	505ab413	.config	log	report
ci-upstream-kasan-gce	2019/04/12 12:20	upstream	2d06b235815e	8916f5e1	.config	log	report
ci-upstream-kasan-gce	2019/04/07 08:39	upstream	faac51ddac45	c34fde03	.config	log	report
ci-upstream-kasan-gce	2019/03/12 01:03	upstream	a089e4fed5c5	12365b99	.config	log	report
ci-upstream-kasan-gce-root	2019/02/20 01:36	upstream	40e196a906d9	4df543c9	.config	log	report
ci-upstream-kasan-gce	2019/02/08 14:05	upstream	74e96711e337	aa4feb03	.config	log	report
ci-upstream-kasan-gce	2019/01/28 13:30	upstream	f17b5f06cb92	629c2a27	.config	log	report
ci-upstream-kasan-gce-smack-root	2019/01/27 13:27	upstream	ba6069759381	c73f090a	.config	log	report
ci-upstream-kasan-gce	2019/01/16 08:30	upstream	7939f8beecf1	b47fa78d	.config	log	report
ci-upstream-kasan-gce	2018/12/30 04:44	upstream	195303136f19	35e3f847	.config	log	report
ci-upstream-kasan-gce	2018/12/20 04:24	upstream	ab63e725b49c	02e69052	.config	log	report
ci-upstream-kasan-gce-root	2018/12/01 22:15	upstream	d8f190ee836a	5a581673	.config	log	report
ci-upstream-kasan-gce	2018/11/12 07:35	upstream	e12e00e388de	7b5f8621	.config	log	report
ci-upstream-kasan-gce-root	2018/11/03 11:13	upstream	5f21585384a4	8bd6bd63	.config	log	report
ci-upstream-kasan-gce-root	2018/10/20 07:12	upstream	c7b70a641df2	ecb386fe	.config	log	report
ci-upstream-kasan-gce-selinux-root	2018/10/02 20:33	upstream	1d2ba7fee28b	a316a2af	.config	log	report
ci-upstream-kasan-gce-smack-root	2018/09/25 10:16	upstream	2dd68cc7fd8c	0e7547d7	.config	log	report
ci-upstream-kasan-gce-386	2020/04/15 22:34	upstream	8632e9b5645b	3f3c5574	.config	log	report
ci-upstream-kasan-gce-386	2019/04/16 00:25	upstream	5512320c9f6f	505ab413	.config	log	report
ci-upstream-linux-next-kasan-gce-root	2019/03/03 10:31	linux-next	c63e9e91a254	1c0e457a	.config	log	report