syzbot

 sign-in | mailing list | source | docs
🐞 Open [76]
🐞 Fixed [22]
🐞 Invalid [311]
Kernel Health Bugs/Month Bug Lifetimes Fuzzing Crashes
💬 Send us feedback

KASAN: slab-out-of-bounds Read in unaccount_page_cache_page

Status: auto-obsoleted due to no activity on 2024/04/30 10:15
First crash: 301d, last: 220d
Similar bugs (5)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
android-5-15 KASAN: use-after-free Read in unaccount_page_cache_page 118 186d 661d 0/2 auto-obsoleted due to no activity on 2024/05/01 01:14
android-5-10 KASAN: use-after-free Read in unaccount_page_cache_page 150 139d 667d 0/2 auto-obsoleted due to no activity on 2024/06/10 16:28
android-54 KASAN: use-after-free Read in unaccount_page_cache_page 143 452d 665d 0/2 auto-obsoleted due to no activity on 2023/08/23 09:09
android-5-10 KASAN: use-after-free Read in unaccount_page_cache_page (2) 1 25d 25d 0/2 premoderation: reported on 2024/08/13 21:29
android-5-15 KASAN: use-after-free Read in unaccount_page_cache_page (2) 1 15d 15d 0/2 premoderation: reported on 2024/08/23 02:36

Sample crash report:
==================================================================
BUG: KASAN: slab-out-of-bounds in cleancache_fs_enabled_mapping include/linux/cleancache.h:54 [inline]
BUG: KASAN: slab-out-of-bounds in cleancache_invalidate_page include/linux/cleancache.h:108 [inline]
BUG: KASAN: slab-out-of-bounds in unaccount_page_cache_page+0x6e6/0x750 mm/filemap.c:169
Read of size 4 at addr ffff8881ea1f5488 by task syz-executor.5/10963

CPU: 1 PID: 10963 Comm: syz-executor.5 Not tainted 5.4.254-syzkaller-00011-g2ac128c04e33 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1d8/0x241 lib/dump_stack.c:118
 print_address_description+0x8c/0x600 mm/kasan/report.c:384
 __kasan_report+0xf3/0x120 mm/kasan/report.c:516
 kasan_report+0x30/0x60 mm/kasan/common.c:653
 cleancache_fs_enabled_mapping include/linux/cleancache.h:54 [inline]
 cleancache_invalidate_page include/linux/cleancache.h:108 [inline]
 unaccount_page_cache_page+0x6e6/0x750 mm/filemap.c:169
 __delete_from_page_cache+0xd0/0x600 mm/filemap.c:237
 __remove_mapping+0x4a2/0x590 mm/vmscan.c:978
 shrink_page_list+0x22f9/0x42c0 mm/vmscan.c:1482
 shrink_inactive_list+0x533/0xfe0 mm/vmscan.c:2001
 shrink_list mm/vmscan.c:2293 [inline]
 shrink_node_memcg+0xc42/0x2430 mm/vmscan.c:2623
 shrink_node+0x389/0x14a0 mm/vmscan.c:2836
 shrink_zones mm/vmscan.c:3053 [inline]
 do_try_to_free_pages+0x63f/0x12b0 mm/vmscan.c:3111
 try_to_free_mem_cgroup_pages+0x3f6/0x9b0 mm/vmscan.c:3412
 try_charge+0x50e/0x1510 mm/memcontrol.c:2616
 mem_cgroup_try_charge+0x2bd/0x400 mm/memcontrol.c:6586
 __add_to_page_cache_locked+0x23d/0xb10 mm/filemap.c:865
 add_to_page_cache_lru+0x117/0x2c0 mm/filemap.c:962
 pagecache_get_page+0x50a/0x750 mm/filemap.c:1742
 grab_cache_page_write_begin+0x51/0x90 mm/filemap.c:3302
 ext4_da_write_begin+0x58d/0xfe0 fs/ext4/inode.c:3144
 generic_perform_write+0x2c7/0x560 mm/filemap.c:3352
 __generic_file_write_iter+0x224/0x530 mm/filemap.c:3481
 ext4_file_write_iter+0x499/0x10e0 fs/ext4/file.c:270
 call_write_iter include/linux/fs.h:1981 [inline]
 new_sync_write fs/read_write.c:483 [inline]
 __vfs_write+0x5d3/0x750 fs/read_write.c:496
 __kernel_write+0x10f/0x350 fs/read_write.c:515
 dump_emit+0x213/0x350 fs/coredump.c:838
 elf_core_dump+0x3e1b/0x4740 fs/binfmt_elf.c:2352
 do_coredump+0x20fb/0x2f00 fs/coredump.c:801
 get_signal+0xd83/0x1440 kernel/signal.c:2729
 do_signal+0xb0/0x11f0 arch/x86/kernel/signal.c:809
 exit_to_usermode_loop+0xc0/0x1a0 arch/x86/entry/common.c:159
 prepare_exit_to_usermode+0x199/0x200 arch/x86/entry/common.c:194
 retint_user+0x8/0x8

Allocated by task 10819:
 save_stack mm/kasan/common.c:70 [inline]
 set_track mm/kasan/common.c:78 [inline]
 __kasan_kmalloc+0x171/0x210 mm/kasan/common.c:529
 slab_post_alloc_hook mm/slab.h:584 [inline]
 slab_alloc_node mm/slub.c:2829 [inline]
 slab_alloc mm/slub.c:2837 [inline]
 kmem_cache_alloc+0xd9/0x250 mm/slub.c:2842
 getname_kernel+0x55/0x2d0 fs/namei.c:221
 kern_path+0x19/0x40 fs/namei.c:2509
 lookup_bdev fs/block_dev.c:2199 [inline]
 blkdev_get_by_path+0xc8/0x2e0 fs/block_dev.c:1772
 mount_bdev+0x51/0x370 fs/super.c:1384
 legacy_get_tree+0xdf/0x170 fs/fs_context.c:648
 vfs_get_tree+0x85/0x260 fs/super.c:1556
 do_new_mount+0x292/0x570 fs/namespace.c:2843
 do_mount+0x688/0xe10 fs/namespace.c:3163
 ksys_mount+0xc2/0xf0 fs/namespace.c:3372
 __do_sys_mount fs/namespace.c:3386 [inline]
 __se_sys_mount fs/namespace.c:3383 [inline]
 __x64_sys_mount+0xb1/0xc0 fs/namespace.c:3383
 do_syscall_64+0xca/0x1c0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x5c/0xc1

Freed by task 10819:
 save_stack mm/kasan/common.c:70 [inline]
 set_track mm/kasan/common.c:78 [inline]
 kasan_set_free_info mm/kasan/common.c:345 [inline]
 __kasan_slab_free+0x1b5/0x270 mm/kasan/common.c:487
 slab_free_hook mm/slub.c:1455 [inline]
 slab_free_freelist_hook mm/slub.c:1494 [inline]
 slab_free mm/slub.c:3080 [inline]
 kmem_cache_free+0x10b/0x2c0 mm/slub.c:3096
 putname fs/namei.c:262 [inline]
 filename_lookup+0x50e/0x6e0 fs/namei.c:2432
 lookup_bdev fs/block_dev.c:2199 [inline]
 blkdev_get_by_path+0xc8/0x2e0 fs/block_dev.c:1772
 mount_bdev+0x51/0x370 fs/super.c:1384
 legacy_get_tree+0xdf/0x170 fs/fs_context.c:648
 vfs_get_tree+0x85/0x260 fs/super.c:1556
 do_new_mount+0x292/0x570 fs/namespace.c:2843
 do_mount+0x688/0xe10 fs/namespace.c:3163
 ksys_mount+0xc2/0xf0 fs/namespace.c:3372
 __do_sys_mount fs/namespace.c:3386 [inline]
 __se_sys_mount fs/namespace.c:3383 [inline]
 __x64_sys_mount+0xb1/0xc0 fs/namespace.c:3383
 do_syscall_64+0xca/0x1c0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x5c/0xc1

The buggy address belongs to the object at ffff8881ea1f4400
 which belongs to the cache names_cache of size 4096
The buggy address is located 136 bytes to the right of
 4096-byte region [ffff8881ea1f4400, ffff8881ea1f5400)
The buggy address belongs to the page:
page:ffffea0007a87c00 refcount:1 mapcount:0 mapping:ffff8881f5d05180 index:0x0 compound_mapcount: 0
flags: 0x8000000000010200(slab|head)
raw: 8000000000010200 dead000000000100 dead000000000122 ffff8881f5d05180
raw: 0000000000000000 0000000000070007 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0x1d20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL)
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook mm/page_alloc.c:2165 [inline]
 prep_new_page+0x18f/0x370 mm/page_alloc.c:2171
 get_page_from_freelist+0x2d13/0x2d90 mm/page_alloc.c:3794
 __alloc_pages_nodemask+0x393/0x840 mm/page_alloc.c:4891
 alloc_slab_page+0x39/0x3c0 mm/slub.c:343
 allocate_slab mm/slub.c:1683 [inline]
 new_slab+0x97/0x440 mm/slub.c:1749
 new_slab_objects mm/slub.c:2505 [inline]
 ___slab_alloc+0x2fe/0x490 mm/slub.c:2667
 __slab_alloc+0x62/0xa0 mm/slub.c:2707
 slab_alloc_node mm/slub.c:2792 [inline]
 slab_alloc mm/slub.c:2837 [inline]
 kmem_cache_alloc+0x109/0x250 mm/slub.c:2842
 getname_flags+0xb8/0x4e0 fs/namei.c:141
 user_path_at_empty+0x28/0x50 fs/namei.c:2683
 user_path_at include/linux/namei.h:49 [inline]
 vfs_statx+0x115/0x210 fs/stat.c:187
 vfs_fstatat include/linux/fs.h:3372 [inline]
 __do_sys_newfstatat fs/stat.c:367 [inline]
 __se_sys_newfstatat+0xce/0x770 fs/stat.c:361
 do_syscall_64+0xca/0x1c0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x5c/0xc1
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1176 [inline]
 __free_pages_ok+0x847/0x950 mm/page_alloc.c:1438
 free_the_page mm/page_alloc.c:4953 [inline]
 __free_pages+0x91/0x140 mm/page_alloc.c:4959
 __free_slab+0x221/0x2e0 mm/slub.c:1774
 free_slab mm/slub.c:1789 [inline]
 discard_slab mm/slub.c:1795 [inline]
 unfreeze_partials+0x14e/0x180 mm/slub.c:2288
 put_cpu_partial+0x44/0x180 mm/slub.c:2324
 __slab_free+0x297/0x360 mm/slub.c:2971
 qlist_free_all+0x43/0xb0 mm/kasan/quarantine.c:167
 quarantine_reduce+0x1d9/0x210 mm/kasan/quarantine.c:260
 __kasan_kmalloc+0x41/0x210 mm/kasan/common.c:507
 slab_post_alloc_hook mm/slab.h:584 [inline]
 slab_alloc_node mm/slub.c:2829 [inline]
 slab_alloc mm/slub.c:2837 [inline]
 kmem_cache_alloc+0xd9/0x250 mm/slub.c:2842
 getname_flags+0xb8/0x4e0 fs/namei.c:141
 getname fs/namei.c:212 [inline]
 user_path_mountpoint_at+0x22/0x40 fs/namei.c:2822
 ksys_umount+0x143/0x410 fs/namespace.c:1690
 __do_sys_umount fs/namespace.c:1716 [inline]
 __se_sys_umount fs/namespace.c:1714 [inline]
 __x64_sys_umount+0x56/0x60 fs/namespace.c:1714
 do_syscall_64+0xca/0x1c0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x5c/0xc1

Memory state around the buggy address:
 ffff8881ea1f5380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8881ea1f5400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8881ea1f5480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                      ^
 ffff8881ea1f5500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8881ea1f5580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (2):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2023/11/11 00:00 android12-5.4 2ac128c04e33 d80eec66 .config console log report info ci2-android-5-4-kasan KASAN: slab-out-of-bounds Read in unaccount_page_cache_page
2024/01/31 10:11 android12-5.4 c84a70203fff 373b66cd .config console log report info ci2-android-5-4-kasan KASAN: use-after-free Read in unaccount_page_cache_page
* Struck through repros no longer work on HEAD.