syzbot


KASAN: use-after-free Read in shmem_free_inode

Status: auto-closed as invalid on 2019/03/08 09:51
First crash: 2027d, last: 2027d

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in shmem_free_inode.isra.1+0x83/0x90 mm/shmem.c:214
Read of size 8 at addr ffff8801cc484ce0 by task syz-executor4/12839

CPU: 0 PID: 12839 Comm: syz-executor4 Not tainted 4.9.125+ #37
 ffff8801d1007bb0 ffffffff81af0ae9 ffffea0007312100 ffff8801cc484ce0
 0000000000000000 ffff8801cc484ce0 ffff8801cb430a08 ffff8801d1007be8
 ffffffff814e0e1d ffff8801cc484ce0 0000000000000008 0000000000000000
Call Trace:
 [<ffffffff81af0ae9>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81af0ae9>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff814e0e1d>] print_address_description+0x6c/0x234 mm/kasan/report.c:256
 [<ffffffff814e1227>] kasan_report_error mm/kasan/report.c:355 [inline]
 [<ffffffff814e1227>] kasan_report.cold.6+0x242/0x2fe mm/kasan/report.c:412
 [<ffffffff814d3664>] __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
 [<ffffffff814421a3>] shmem_free_inode.isra.1+0x83/0x90 mm/shmem.c:214
 [<ffffffff814482fd>] shmem_evict_inode+0x1ad/0x5c0 mm/shmem.c:1067
 [<ffffffff81541e3e>] evict+0x22e/0x4f0 fs/inode.c:553
 [<ffffffff81542f31>] iput_final fs/inode.c:1516 [inline]
 [<ffffffff81542f31>] iput+0x371/0x900 fs/inode.c:1543
 [<ffffffff815bfd31>] fsnotify_detach_mark+0x251/0x2f0 fs/notify/mark.c:170
 [<ffffffff815c10ac>] fsnotify_detach_group_marks+0x5c/0xd0 fs/notify/mark.c:506
 [<ffffffff815beae2>] fsnotify_destroy_group+0x62/0x120 fs/notify/group.c:70
 [<ffffffff815c2827>] inotify_release+0x37/0x50 fs/notify/inotify/inotify_user.c:282
 [<ffffffff814f06f3>] __fput+0x263/0x700 fs/file_table.c:208
 [<ffffffff814f0c15>] ____fput+0x15/0x20 fs/file_table.c:244
 [<ffffffff81138c4c>] task_work_run+0x10c/0x180 kernel/task_work.c:116
 [<ffffffff81003e49>] tracehook_notify_resume include/linux/tracehook.h:191 [inline]
 [<ffffffff81003e49>] exit_to_usermode_loop+0x129/0x150 arch/x86/entry/common.c:161
 [<ffffffff8100570d>] prepare_exit_to_usermode arch/x86/entry/common.c:191 [inline]
 [<ffffffff8100570d>] syscall_return_slowpath arch/x86/entry/common.c:260 [inline]
 [<ffffffff8100570d>] do_syscall_64+0x35d/0x480 arch/x86/entry/common.c:287
 [<ffffffff8278c193>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb

Allocated by task 12845:
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack mm/kasan/kasan.c:505 [inline]
 set_track mm/kasan/kasan.c:517 [inline]
 kasan_kmalloc.part.1+0x62/0xf0 mm/kasan/kasan.c:609
 kasan_kmalloc+0xaf/0xc0 mm/kasan/kasan.c:594
 kmem_cache_alloc_trace+0x117/0x2e0 mm/slub.c:2742
 kmalloc include/linux/slab.h:490 [inline]
 kzalloc include/linux/slab.h:636 [inline]
 shmem_fill_super+0x55/0x940 mm/shmem.c:3576
 mount_nodev+0x5b/0x100 fs/super.c:1146
 shmem_mount+0x2c/0x40 mm/shmem.c:3785
 mount_fs+0x28c/0x370 fs/super.c:1206
 vfs_kern_mount.part.8+0xd1/0x3d0 fs/namespace.c:1000
 vfs_kern_mount fs/namespace.c:982 [inline]
 do_new_mount fs/namespace.c:2537 [inline]
 do_mount+0x3c9/0x2790 fs/namespace.c:2859
 SYSC_mount fs/namespace.c:3075 [inline]
 SyS_mount+0xea/0x100 fs/namespace.c:3052
 do_syscall_64+0x19f/0x480 arch/x86/entry/common.c:282
 entry_SYSCALL_64_after_swapgs+0x5d/0xdb

Freed by task 12845:
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack mm/kasan/kasan.c:505 [inline]
 set_track mm/kasan/kasan.c:517 [inline]
 kasan_slab_free+0xac/0x190 mm/kasan/kasan.c:582
 slab_free_hook mm/slub.c:1355 [inline]
 slab_free_freelist_hook mm/slub.c:1377 [inline]
 slab_free mm/slub.c:2958 [inline]
 kfree+0xfb/0x310 mm/slub.c:3878
 shmem_put_super+0x47/0x90 mm/shmem.c:3565
 generic_shutdown_super+0x149/0x300 fs/super.c:437
 kill_anon_super fs/super.c:968 [inline]
 kill_litter_super+0x72/0x90 fs/super.c:978
 deactivate_locked_super+0x75/0xd0 fs/super.c:310
 deactivate_super+0x91/0xd0 fs/super.c:341
 cleanup_mnt+0xb2/0x160 fs/namespace.c:1143
 __cleanup_mnt+0x16/0x20 fs/namespace.c:1150
 task_work_run+0x10c/0x180 kernel/task_work.c:116
 tracehook_notify_resume include/linux/tracehook.h:191 [inline]
 exit_to_usermode_loop+0x129/0x150 arch/x86/entry/common.c:161
 prepare_exit_to_usermode arch/x86/entry/common.c:191 [inline]
 syscall_return_slowpath arch/x86/entry/common.c:260 [inline]
 do_syscall_64+0x35d/0x480 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_swapgs+0x5d/0xdb

The buggy address belongs to the object at ffff8801cc484c80
 which belongs to the cache kmalloc-512 of size 512
The buggy address is located 96 bytes inside of
 512-byte region [ffff8801cc484c80, ffff8801cc484e80)
The buggy address belongs to the page:
page:ffffea0007312100 count:1 mapcount:0 mapping:          (null) index:0x0 compound_mapcount: 0
flags: 0x4000000000004080(slab|head)
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8801cc484b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8801cc484c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8801cc484c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                       ^
 ffff8801cc484d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8801cc484d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=62976 sclass=netlink_route_socket pig=12866 comm=syz-executor3
==================================================================

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2018/09/09 09:48 https://android.googlesource.com/kernel/common android-4.9 dcae9fa1319b 6b5120a4 .config console log report ci-android-49-kasan-gce-root
* Struck through repros no longer work on HEAD.