syzbot


KASAN: use-after-free Read in io_queue_link_head

Status: upstream: reported C repro on 2021/01/22 16:20
Reported-by: syzbot+a4ce41cc542d66d69c89@syzkaller.appspotmail.com
First crash: 680d, last: 53d

Sample crash report:
RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007f1f567f02f9
RDX: 0000000000000000 RSI: 00000000000022ff RDI: 0000000000000003
RBP: 00007ffe67ed6540 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000004
R13: 431bde82d7b634db R14: 0000000000000000 R15: 0000000000000000
==================================================================
BUG: KASAN: use-after-free in io_queue_link_head+0x56f/0x680 fs/io_uring.c:2550
Read of size 8 at addr ffff8881e0a087d0 by task syz-executor960/306

CPU: 0 PID: 306 Comm: syz-executor960 Not tainted 5.4.197-syzkaller-00010-gccdf6bdf62a8 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x18e/0x1d5 lib/dump_stack.c:118
 print_address_description+0x8c/0x630 mm/kasan/report.c:384
 __kasan_report+0xf6/0x130 mm/kasan/report.c:516
 kasan_report+0x30/0x60 mm/kasan/common.c:653
 io_queue_link_head+0x56f/0x680 fs/io_uring.c:2550
 io_ring_submit fs/io_uring.c:2979 [inline]
 __do_sys_io_uring_enter fs/io_uring.c:3861 [inline]
 __se_sys_io_uring_enter+0xb09/0x1cb0 fs/io_uring.c:3822
 do_syscall_64+0xcb/0x1c0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x7f1f567f02f9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffe67ed6518 EFLAGS: 00000246 ORIG_RAX: 00000000000001aa
RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007f1f567f02f9
RDX: 0000000000000000 RSI: 00000000000022ff RDI: 0000000000000003
RBP: 00007ffe67ed6540 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000004
R13: 431bde82d7b634db R14: 0000000000000000 R15: 0000000000000000

Allocated by task 306:
 save_stack mm/kasan/common.c:70 [inline]
 set_track mm/kasan/common.c:78 [inline]
 __kasan_kmalloc+0x131/0x1e0 mm/kasan/common.c:529
 slab_post_alloc_hook mm/slab.h:584 [inline]
 kmem_cache_alloc_bulk+0x16f/0x270 mm/slub.c:3291
 io_get_req+0x17a/0x590 fs/io_uring.c:668
 io_submit_sqe+0x83/0xe80 fs/io_uring.c:2587
 io_ring_submit fs/io_uring.c:2975 [inline]
 __do_sys_io_uring_enter fs/io_uring.c:3861 [inline]
 __se_sys_io_uring_enter+0x7cf/0x1cb0 fs/io_uring.c:3822
 do_syscall_64+0xcb/0x1c0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

Freed by task 306:
 save_stack mm/kasan/common.c:70 [inline]
 set_track mm/kasan/common.c:78 [inline]
 kasan_set_free_info mm/kasan/common.c:345 [inline]
 __kasan_slab_free+0x178/0x240 mm/kasan/common.c:487
 slab_free_hook mm/slub.c:1455 [inline]
 slab_free_freelist_hook+0x80/0x150 mm/slub.c:1494
 slab_free mm/slub.c:3080 [inline]
 kmem_cache_free+0xa9/0x1d0 mm/slub.c:3096
 io_queue_link_head+0x2b7/0x680 fs/io_uring.c:2548
 io_ring_submit fs/io_uring.c:2979 [inline]
 __do_sys_io_uring_enter fs/io_uring.c:3861 [inline]
 __se_sys_io_uring_enter+0xb09/0x1cb0 fs/io_uring.c:3822
 do_syscall_64+0xcb/0x1c0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

The buggy address belongs to the object at ffff8881e0a08780
 which belongs to the cache io_kiocb of size 264
The buggy address is located 80 bytes inside of
 264-byte region [ffff8881e0a08780, ffff8881e0a08888)
The buggy address belongs to the page:
page:ffffea0007828200 refcount:1 mapcount:0 mapping:ffff8881f5e5aa00 index:0x0 compound_mapcount: 0
flags: 0x8000000000010200(slab|head)
raw: 8000000000010200 dead000000000100 dead000000000122 ffff8881f5e5aa00
raw: 0000000000000000 0000000080150015 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 1, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC)
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook mm/page_alloc.c:2165 [inline]
 prep_new_page+0x194/0x380 mm/page_alloc.c:2171
 get_page_from_freelist+0x524/0x560 mm/page_alloc.c:3794
 __alloc_pages_nodemask+0x2ab/0x6f0 mm/page_alloc.c:4857
 alloc_slab_page+0x39/0x3e0 mm/slub.c:343
 allocate_slab mm/slub.c:1683 [inline]
 new_slab+0x97/0x450 mm/slub.c:1749
 new_slab_objects mm/slub.c:2506 [inline]
 ___slab_alloc+0x320/0x4b0 mm/slub.c:2667
 kmem_cache_alloc_bulk+0xc6/0x270 mm/slub.c:3265
 io_get_req+0x17a/0x590 fs/io_uring.c:668
 io_submit_sqe+0x83/0xe80 fs/io_uring.c:2587
 io_ring_submit fs/io_uring.c:2975 [inline]
 __do_sys_io_uring_enter fs/io_uring.c:3861 [inline]
 __se_sys_io_uring_enter+0x7cf/0x1cb0 fs/io_uring.c:3822
 do_syscall_64+0xcb/0x1c0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1176 [inline]
 __free_pages_ok+0x7ee/0x920 mm/page_alloc.c:1438
 put_page include/linux/mm.h:1150 [inline]
 page_to_skb+0x62e/0x910 drivers/net/virtio_net.c:433
 receive_mergeable+0x73e/0x2300 drivers/net/virtio_net.c:977
 receive_buf+0x104/0x1940 drivers/net/virtio_net.c:1087
 virtnet_receive drivers/net/virtio_net.c:1379 [inline]
 virtnet_poll+0x554/0x10b0 drivers/net/virtio_net.c:1484
 napi_poll+0x195/0x670 net/core/dev.c:6352
 net_rx_action+0x2dd/0x890 net/core/dev.c:6420
 __do_softirq+0x23e/0x643 kernel/softirq.c:292
 invoke_softirq kernel/softirq.c:373 [inline]
 irq_exit+0x195/0x1c0 kernel/softirq.c:413
 exiting_irq arch/x86/include/asm/apic.h:538 [inline]
 do_IRQ+0xc4/0x1b0 arch/x86/kernel/irq.c:263
 ret_from_intr+0x0/0x14
 native_safe_halt arch/x86/include/asm/irqflags.h:60 [inline]
 arch_safe_halt arch/x86/include/asm/irqflags.h:103 [inline]
 default_idle+0x1f/0x30 arch/x86/kernel/process.c:572
 default_idle_call kernel/sched/idle.c:94 [inline]
 cpuidle_idle_call kernel/sched/idle.c:154 [inline]
 do_idle+0x1d2/0x590 kernel/sched/idle.c:264
 cpu_startup_entry+0x15/0x20 kernel/sched/idle.c:356
 start_secondary+0x312/0x390 arch/x86/kernel/smpboot.c:264
 secondary_startup_64+0xa4/0xb0 arch/x86/kernel/head_64.S:241

Memory state around the buggy address:
 ffff8881e0a08680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff8881e0a08700: 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8881e0a08780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                 ^
 ffff8881e0a08800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8881e0a08880: fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================

Crashes (21):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci2-android-5-4-kasan 2022/09/16 15:30 android12-5.4 ccdf6bdf62a8 dd9a85ff .config log report syz C KASAN: use-after-free Read in io_queue_link_head
ci2-android-5-4-kasan 2021/01/22 16:33 android12-5.4 15cec007c4a8 d4f4eca5 .config log report syz C KASAN: use-after-free Read in io_queue_link_head
ci2-android-5-4-kasan 2022/10/12 04:55 android12-5.4 35e910266d44 02b6492e .config log report info KASAN: use-after-free Read in io_queue_link_head
ci2-android-5-4-kasan 2022/09/16 15:18 android12-5.4 ccdf6bdf62a8 dd9a85ff .config log report info KASAN: use-after-free Read in io_queue_link_head
ci2-android-5-4-kasan 2022/04/18 08:13 android12-5.4 b730087e9a5d 8bcc32a6 .config log report info KASAN: use-after-free Read in io_queue_link_head
ci2-android-5-4-kasan 2022/02/09 20:11 android12-5.4 2159354389cf 0b33604d .config log report info KASAN: use-after-free Read in io_queue_link_head
ci2-android-5-4-kasan 2022/01/06 19:00 android12-5.4 5b673be0c6b0 6acc789a .config log report info KASAN: use-after-free Read in io_queue_link_head
ci2-android-5-4-kasan 2021/12/01 14:17 android12-5.4 0bbc71d87f4d 5fa3eacc .config log report info KASAN: use-after-free Read in io_queue_link_head
ci2-android-5-4-kasan 2021/11/25 03:51 android12-5.4 697fba25ed27 545ab074 .config log report info KASAN: use-after-free Read in io_queue_link_head
ci2-android-5-4-kasan 2021/11/14 17:49 android12-5.4 60bad4df861d 75b04091 .config log report info KASAN: use-after-free Read in io_queue_link_head
ci2-android-5-4-kasan 2021/11/07 07:15 android12-5.4 2138e7367558 4c1be0be .config log report info KASAN: use-after-free Read in io_queue_link_head
ci2-android-5-4-kasan 2021/10/14 10:24 android12-5.4 73e6d86c30ee 5462d470 .config log report info KASAN: use-after-free Read in io_queue_link_head
ci2-android-5-4-kasan 2021/09/30 15:04 android12-5.4 12806d81361b 0f01403d .config log report info KASAN: use-after-free Read in io_queue_link_head
ci2-android-5-4-kasan 2021/09/16 10:58 android12-5.4 4614f5de0f95 07e953c1 .config log report info KASAN: use-after-free Read in io_queue_link_head
ci2-android-5-4-kasan 2021/08/12 11:46 android12-5.4 86266c58a7b0 6972b106 .config log report info KASAN: use-after-free Read in io_queue_link_head
ci2-android-5-4-kasan 2021/07/30 02:56 android12-5.4 46857ce15052 8a799410 .config log report info KASAN: use-after-free Read in io_queue_link_head
ci2-android-5-4-kasan 2021/07/06 12:42 android12-5.4 eaef435f4357 6c4484eb .config log report info KASAN: use-after-free Read in io_queue_link_head
ci2-android-5-4-kasan 2021/06/13 08:11 android12-5.4 83ffd1a84016 1ba81399 .config log report info KASAN: use-after-free Read in io_queue_link_head
ci2-android-5-4-kasan 2021/04/02 14:34 android12-5.4 708026dc169c 6a81331a .config log report info KASAN: use-after-free Read in io_queue_link_head
ci2-android-5-4-kasan 2021/03/23 11:20 android12-5.4 c50ff8e5608b 8092f30d .config log report info KASAN: use-after-free Read in io_queue_link_head
ci2-android-5-4-kasan 2021/01/22 16:19 android12-5.4 15cec007c4a8 d4f4eca5 .config log report info KASAN: use-after-free Read in io_queue_link_head
* Struck through repros no longer work on HEAD.