syzbot


KASAN: use-after-free Read in relay_switch_subbuf

Status: upstream: reported C repro on 2018/09/26 07:41
Reported-by: syzbot+29093015c21333d1c46d@syzkaller.appspotmail.com
First crash: 1527d, last: 32d

Cause bisection: introduced by (bisect log) :
commit 21c75ad65f8e5213ec542d99c259ffe3e3671e81
Author: YueHaibing <yuehaibing@huawei.com>
Date: Thu Mar 21 08:26:28 2019 +0000

  parport_cs: Fix memory leak in parport_config

Crash: KASAN: use-after-free Read in relay_switch_subbuf (log)
Repro: C syz .config

Fix bisection: failed (bisect log)
similar bugs (9):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.19 KASAN: use-after-free Read in relay_switch_subbuf 10 887d 1311d 0/1 auto-closed as invalid on 2020/10/24 01:02
linux-4.14 KASAN: use-after-free Read in relay_switch_subbuf C done unreliable 5 79d 1121d 0/1 upstream: reported C repro on 2019/11/05 17:36
linux-4.19 KASAN: use-after-free Read in relay_switch_subbuf (2) 18 18d 409d 0/1 upstream: reported on 2021/10/17 18:33
linux-4.14 general protection fault in relay_switch_subbuf 2 978d 1071d 0/1 auto-closed as invalid on 2020/07/25 03:12
upstream general protection fault in relay_switch_subbuf 4 1406d 1378d 0/24 auto-closed as invalid on 2019/07/23 22:29
upstream general protection fault in relay_switch_subbuf (2) 1 1218d 1210d 0/24 auto-closed as invalid on 2019/10/25 14:11
upstream general protection fault in relay_switch_subbuf (3) 1 1126d 1126d 0/24 auto-closed as invalid on 2020/01/29 10:20
linux-4.19 general protection fault in relay_switch_subbuf 1 1201d 1201d 0/1 auto-closed as invalid on 2019/12/15 08:14
linux-4.19 general protection fault in relay_switch_subbuf (2) 1 898d 898d 0/1 auto-closed as invalid on 2020/10/13 07:52
Patch testing requests:
Created Duration User Patch Repo Result
2021/03/15 02:41 18m ducheng2@gmail.com upstream OK

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in d_inode include/linux/dcache.h:515 [inline]
BUG: KASAN: use-after-free in relay_switch_subbuf+0x27a/0x630 kernel/relay.c:755
Read of size 8 at addr ffff8880aa0ce4f8 by task kworker/0:2/2908

CPU: 0 PID: 2908 Comm: kworker/0:2 Not tainted 5.4.0-rc6+ #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events __blk_release_queue
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1fb/0x318 lib/dump_stack.c:118
 print_address_description+0x75/0x5c0 mm/kasan/report.c:374
 __kasan_report+0x14b/0x1c0 mm/kasan/report.c:506
 kasan_report+0x26/0x50 mm/kasan/common.c:634
 __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:132
 d_inode include/linux/dcache.h:515 [inline]
 relay_switch_subbuf+0x27a/0x630 kernel/relay.c:755
 relay_flush+0x1ff/0x2e0 kernel/relay.c:883
 __blk_trace_startstop kernel/trace/blktrace.c:662 [inline]
 blk_trace_shutdown+0x203/0x260 kernel/trace/blktrace.c:746
 __blk_release_queue+0x244/0x2e0 block/blk-sysfs.c:904
 process_one_work+0x7ef/0x10e0 kernel/workqueue.c:2269
 worker_thread+0xc01/0x1630 kernel/workqueue.c:2415
 kthread+0x332/0x350 kernel/kthread.c:255
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352

Allocated by task 7879:
 save_stack mm/kasan/common.c:69 [inline]
 set_track mm/kasan/common.c:77 [inline]
 __kasan_kmalloc+0x11c/0x1b0 mm/kasan/common.c:510
 kasan_slab_alloc+0xf/0x20 mm/kasan/common.c:518
 slab_post_alloc_hook mm/slab.h:584 [inline]
 slab_alloc mm/slab.c:3319 [inline]
 kmem_cache_alloc+0x1f5/0x2e0 mm/slab.c:3483
 __d_alloc+0x2d/0x6e0 fs/dcache.c:1688
 d_alloc fs/dcache.c:1767 [inline]
 d_alloc_parallel+0x7f/0x1430 fs/dcache.c:2519
 __lookup_slow+0xa7/0x380 fs/namei.c:1646
 lookup_one_len+0x123/0x220 fs/namei.c:2533
 start_creating+0xd3/0x270 fs/debugfs/inode.c:339
 __debugfs_create_file+0x75/0x470 fs/debugfs/inode.c:384
 debugfs_create_file+0x4a/0x60 fs/debugfs/inode.c:441
 blk_create_buf_file_callback+0x34/0x40 kernel/trace/blktrace.c:444
 relay_create_buf_file kernel/relay.c:428 [inline]
 relay_open_buf+0x5cb/0xd60 kernel/relay.c:457
 relay_open+0x491/0x970 kernel/relay.c:599
 do_blk_trace_setup+0x4b9/0xaa0 kernel/trace/blktrace.c:526
 __blk_trace_setup kernel/trace/blktrace.c:571 [inline]
 blk_trace_ioctl+0x24c/0x7d0 kernel/trace/blktrace.c:710
 blkdev_ioctl+0x134a/0x2980 block/ioctl.c:592
 block_ioctl+0xbd/0x100 fs/block_dev.c:1954
 do_vfs_ioctl+0x744/0x1730 fs/ioctl.c:46
 ksys_ioctl fs/ioctl.c:713 [inline]
 __do_sys_ioctl fs/ioctl.c:720 [inline]
 __se_sys_ioctl fs/ioctl.c:718 [inline]
 __x64_sys_ioctl+0xe3/0x120 fs/ioctl.c:718
 do_syscall_64+0xf7/0x1c0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 0:
 save_stack mm/kasan/common.c:69 [inline]
 set_track mm/kasan/common.c:77 [inline]
 kasan_set_free_info mm/kasan/common.c:332 [inline]
 __kasan_slab_free+0x12a/0x1e0 mm/kasan/common.c:471
 kasan_slab_free+0xe/0x10 mm/kasan/common.c:480
 __cache_free mm/slab.c:3425 [inline]
 kmem_cache_free+0x81/0xf0 mm/slab.c:3693
 __d_free+0x20/0x30 fs/dcache.c:271
 __rcu_reclaim kernel/rcu/rcu.h:222 [inline]
 rcu_do_batch kernel/rcu/tree.c:2157 [inline]
 rcu_core+0x843/0x1050 kernel/rcu/tree.c:2377
 rcu_core_si+0x9/0x10 kernel/rcu/tree.c:2386
 __do_softirq+0x333/0x7c4 arch/x86/include/asm/paravirt.h:766

The buggy address belongs to the object at ffff8880aa0ce4a0
 which belongs to the cache dentry(17:syz0) of size 288
The buggy address is located 88 bytes inside of
 288-byte region [ffff8880aa0ce4a0, ffff8880aa0ce5c0)
The buggy address belongs to the page:
page:ffffea0002a83380 refcount:1 mapcount:0 mapping:ffff8880910e3e00 index:0x0
flags: 0x1fffc0000000200(slab)
raw: 01fffc0000000200 ffffea0002a82188 ffffea0002a81cc8 ffff8880910e3e00
raw: 0000000000000000 ffff8880aa0ce080 000000010000000b 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8880aa0ce380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8880aa0ce400: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
>ffff8880aa0ce480: fc fc fc fc fb fb fb fb fb fb fb fb fb fb fb fb
                                                                ^
 ffff8880aa0ce500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8880aa0ce580: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
==================================================================

Crashes (93):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-upstream-kasan-gce-smack-root 2019/11/08 16:33 upstream 847120f859cc 1e35461e .config log report syz C
ci-upstream-kasan-gce 2019/11/06 07:57 upstream 26bc67213424 bc2c6e45 .config log report syz C
ci-upstream-linux-next-kasan-gce-root 2019/11/25 22:25 linux-next c165016bac27 371caf77 .config log report syz C
ci-upstream-kasan-gce-root 2022/10/12 06:38 upstream 55be6084c8e0 16a9c9e0 .config log report info KASAN: use-after-free Read in relay_switch_subbuf
ci-upstream-kasan-gce-smack-root 2022/10/03 15:14 upstream 4fe89d07dcc2 feb56351 .config log report info KASAN: use-after-free Read in relay_switch_subbuf
ci-qemu-upstream 2022/09/30 07:35 upstream 987a926c1d8a 45fd7169 .config log report info KASAN: use-after-free Read in relay_switch_subbuf
ci-upstream-kasan-gce-smack-root 2022/09/28 14:47 upstream 49c13ed0316d e2556bc3 .config log report info KASAN: use-after-free Read in relay_switch_subbuf
ci-upstream-kasan-gce-smack-root 2022/09/28 05:47 upstream 46452d3786a8 75c78242 .config log report info KASAN: use-after-free Read in relay_switch_subbuf
ci-upstream-kasan-gce-root 2022/09/24 10:14 upstream a63f2e7cb110 0042f2b4 .config log report info KASAN: use-after-free Read in relay_switch_subbuf
ci-upstream-kasan-gce-root 2022/09/21 23:47 upstream 06f7db949993 60af5050 .config log report info KASAN: use-after-free Read in relay_switch_subbuf
ci-upstream-kasan-gce-root 2022/08/03 13:09 upstream e2b542100719 1c9013ac .config log report info KASAN: use-after-free Read in relay_switch_subbuf
ci-upstream-kasan-gce-root 2022/07/13 14:14 upstream b047602d579b 5d921b08 .config log report info KASAN: use-after-free Read in relay_switch_subbuf
ci-upstream-kasan-gce-root 2022/07/09 23:46 upstream b1c428b6c368 b5765a15 .config log report info KASAN: use-after-free Read in relay_switch_subbuf
ci-upstream-kasan-gce-root 2022/07/09 17:01 upstream e5524c2a1fc4 b5765a15 .config log report info KASAN: use-after-free Read in relay_switch_subbuf
ci-upstream-kasan-gce-root 2022/07/04 11:40 upstream 88084a3df167 1434eec0 .config log report info KASAN: use-after-free Read in relay_switch_subbuf
ci-upstream-kasan-gce-root 2022/07/01 23:28 upstream a175eca0f3d7 1434eec0 .config log report info KASAN: use-after-free Read in relay_switch_subbuf
ci-upstream-kasan-gce-selinux-root 2022/06/16 16:25 upstream 30306f6194ca 1719ee24 .config log report info KASAN: use-after-free Read in relay_switch_subbuf
ci-upstream-kasan-gce-smack-root 2022/06/13 14:41 upstream b13baccc3850 0d5abf15 .config log report info KASAN: use-after-free Read in relay_switch_subbuf
ci-upstream-kasan-gce-root 2022/05/19 06:04 upstream f993aed406ea 50c53f39 .config log report info KASAN: use-after-free Read in relay_switch_subbuf
ci-upstream-kasan-gce-smack-root 2022/01/31 01:39 upstream 24f4db1f3a27 495e00c5 .config log report info KASAN: use-after-free Read in relay_switch_subbuf
ci-upstream-kasan-gce-root 2022/01/28 20:56 upstream df0001545b27 495e00c5 .config log report info KASAN: use-after-free Read in relay_switch_subbuf
ci-upstream-kasan-gce-root 2021/11/23 21:30 upstream 136057256686 545ab074 .config log report info KASAN: use-after-free Read in relay_switch_subbuf
ci-upstream-linux-next-kasan-gce-root 2022/09/12 06:35 linux-next e47eb90a0a9a 356d8217 .config log report info KASAN: use-after-free Read in relay_switch_subbuf
ci-upstream-linux-next-kasan-gce-root 2022/07/21 00:07 linux-next cb71b93c2dc3 88cb1383 .config log report info KASAN: use-after-free Read in relay_switch_subbuf
ci-upstream-linux-next-kasan-gce-root 2022/07/20 20:42 linux-next cb71b93c2dc3 88cb1383 .config log report info KASAN: use-after-free Read in relay_switch_subbuf
ci-upstream-kasan-gce-smack-root 2022/09/27 00:42 upstream 3800a713b607 10323ddf .config log report info general protection fault in relay_switch_subbuf
ci-upstream-kasan-gce-smack-root 2022/08/06 19:48 upstream 200e340f2196 88e3a122 .config log report info general protection fault in relay_switch_subbuf
ci-upstream-kasan-gce-root 2022/08/02 15:16 upstream 9de1f9c8ca51 1c9013ac .config log report info general protection fault in relay_switch_subbuf
ci-upstream-kasan-gce-root 2022/07/08 08:10 upstream e8a4e1c1bb69 bff65f44 .config log report info general protection fault in relay_switch_subbuf
ci-upstream-kasan-gce-selinux-root 2022/02/07 03:50 upstream d8ad2ce873ab a7dab638 .config log report info general protection fault in relay_switch_subbuf
ci-upstream-kasan-gce 2020/02/09 23:30 upstream d1ea35f4cdd4 35f5e45e .config log report
ci-upstream-kasan-gce-selinux-root 2019/12/29 22:50 upstream a99efa00891b af6b8ef8 .config log report
ci-upstream-kasan-gce-selinux-root 2019/11/17 19:36 upstream fe30021c36fb d5696d51 .config log report
ci-upstream-kasan-gce-root 2019/10/29 18:01 upstream 8005803a2ca0 5ea87a66 .config log report
ci-upstream-kasan-gce-smack-root 2019/10/21 15:07 upstream 7d194c2100ad b24d2b8a .config log report
ci-upstream-kasan-gce 2019/10/17 02:11 upstream bc88f85c6c09 8c88c9c1 .config log report
ci-upstream-kasan-gce 2019/10/16 16:06 upstream 3b1f00aceb7a d4ea592f .config log report
ci-upstream-kasan-gce 2019/10/01 02:11 upstream 54ecb8f7028c c7a4fb99 .config log report
ci-upstream-kasan-gce 2019/09/25 16:43 upstream 351c8a09b00b a3355dba .config log report
ci-upstream-kasan-gce 2019/09/16 07:31 upstream 4d856f72c10e 32d59357 .config log report
ci-upstream-kasan-gce-root 2019/09/14 11:35 upstream a7f89616b737 32d59357 .config log report
ci-upstream-kasan-gce-selinux-root 2019/09/12 03:51 upstream 3120b9a6a3f7 f4e53c10 .config log report
ci-upstream-kasan-gce 2019/09/08 01:43 upstream b3a9964cfa69 a60cb4cd .config log report
ci-upstream-kasan-gce-root 2019/08/31 22:24 upstream eea173097dfb bad3cce2 .config log report
ci-upstream-kasan-gce 2019/08/31 10:53 upstream 6525771f58cb fd37b39e .config log report
ci-upstream-kasan-gce 2019/08/31 05:22 upstream 6525771f58cb fd37b39e .config log report
ci-upstream-kasan-gce 2019/08/30 22:35 upstream 6525771f58cb fd37b39e .config log report
ci-upstream-kasan-gce-selinux-root 2019/08/30 08:37 upstream 6525771f58cb fd37b39e .config log report
ci-upstream-kasan-gce 2019/08/30 05:38 upstream 6525771f58cb fd37b39e .config log report
ci-upstream-kasan-gce 2019/08/26 22:37 upstream a55aa89aab90 d21c5d9d .config log report
ci-upstream-kasan-gce 2019/08/26 19:46 upstream a55aa89aab90 d21c5d9d .config log report
ci-upstream-kasan-gce 2019/08/18 13:31 upstream 8fde2832bd0b 55bf8926 .config log report
ci-upstream-kasan-gce-root 2019/08/17 11:49 upstream 6e625a1a3f47 8fd428a1 .config log report
ci-upstream-kasan-gce-smack-root 2018/09/25 10:16 upstream 2dd68cc7fd8c 0e7547d7 .config log report
ci-upstream-kasan-gce-386 2020/04/15 22:34 upstream 8632e9b5645b 3f3c5574 .config log report
ci-upstream-linux-next-kasan-gce-root 2022/10/29 09:37 linux-next 4d48f589d294 899d812a .config log report info general protection fault in relay_switch_subbuf
* Struck through repros no longer work on HEAD.