KASAN: use-after-free Read in debugfs

Kernel	Title	Rank 🛈	Repro	Cause bisect	Fix bisect	Count	Last	Reported	Patched	Status
upstream	KASAN: use-after-free Read in debugfs_remove (2) fs	19				1	2953d	2951d	5/29	fixed on 2018/05/17 10:02
upstream	KASAN: use-after-free Read in debugfs_remove (3)	19	C	done	error	88	2314d	2781d	0/29	closed as dup on 2020/06/28 17:08
upstream	KASAN: use-after-free Read in debugfs_remove fs	19				1	2974d	2973d	0/29	closed as invalid on 2018/04/10 15:18
linux-4.14	KASAN: use-after-free Read in debugfs_remove	19	C		inconclusive	14	2037d	2592d	0/1	upstream: reported C repro on 2019/04/17 06:08

Kernel

Title

Rank 🛈

upstream

KASAN: use-after-free Read in debugfs_remove (2) fs

2953d

2951d

5/29

fixed on 2018/05/17 10:02

upstream

KASAN: use-after-free Read in debugfs_remove (3)

done

error

2314d

2781d

0/29

closed as dup on 2020/06/28 17:08

upstream

KASAN: use-after-free Read in debugfs_remove fs

2974d

2973d

0/29

closed as invalid on 2018/04/10 15:18

linux-4.14

KASAN: use-after-free Read in debugfs_remove

inconclusive

2037d

2592d

0/1

upstream: reported C repro on 2019/04/17 06:08


Created	Duration	User	Repo	Result
2020/12/01 00:43	3h32m	bisect fix	linux-4.19.y	OK (1) job log
2020/10/31 23:47	24m	bisect fix	linux-4.19.y	OK (0) job log log
2020/10/01 23:20	27m	bisect fix	linux-4.19.y	OK (0) job log log
2020/08/30 20:03	28m	bisect fix	linux-4.19.y	OK (0) job log log
2020/06/16 21:13	28m	bisect fix	linux-4.19.y	OK (0) job log log
2020/05/17 20:42	31m	bisect fix	linux-4.19.y	OK (0) job log log
2020/04/17 20:15	26m	bisect fix	linux-4.19.y	OK (0) job log log
2020/02/17 13:29	24m	bisect fix	linux-4.19.y	OK (0) job log log
2020/01/13 11:19	38m	bisect fix	linux-4.19.y	OK (0) job log log
2019/12/14 10:07	32m	bisect fix	linux-4.19.y	OK (0) job log log

audit: type=1400 audit(1599002331.610:8): avc: denied { execmem } for pid=6460 comm="syz-executor843" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 blktrace: Concurrent blktraces are not allowed on loop0 ================================================================== BUG: KASAN: use-after-free in debugfs_remove+0x1c1/0x210 fs/debugfs/inode.c:687 Read of size 8 at addr ffff88808379c900 by task kworker/0:1/14 CPU: 0 PID: 14 Comm: kworker/0:1 Not tainted 4.19.142-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: events __blk_release_queue Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1fc/0x2fe lib/dump_stack.c:118 print_address_description.cold+0x54/0x219 mm/kasan/report.c:256 kasan_report_error.cold+0x8a/0x1c7 mm/kasan/report.c:354 kasan_report mm/kasan/report.c:412 [inline] __asan_report_load8_noabort+0x88/0x90 mm/kasan/report.c:433 debugfs_remove+0x1c1/0x210 fs/debugfs/inode.c:687 blk_trace_free+0x31/0x130 kernel/trace/blktrace.c:315 blk_trace_cleanup kernel/trace/blktrace.c:343 [inline] __blk_trace_remove+0x8b/0x100 kernel/trace/blktrace.c:356 blk_trace_shutdown+0x92/0x100 kernel/trace/blktrace.c:768 __blk_release_queue+0x235/0x4e0 block/blk-sysfs.c:855 process_one_work+0x864/0x1570 kernel/workqueue.c:2155 worker_thread+0x64c/0x1130 kernel/workqueue.c:2298 kthread+0x33f/0x460 kernel/kthread.c:259 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415 Allocated by task 6470: kmem_cache_alloc+0x122/0x370 mm/slab.c:3559 __d_alloc+0x2b/0xa10 fs/dcache.c:1610 d_alloc+0x4a/0x230 fs/dcache.c:1694 d_alloc_parallel+0xeb/0x19e0 fs/dcache.c:2441 __lookup_slow+0x18d/0x4a0 fs/namei.c:1655 lookup_one_len+0x163/0x190 fs/namei.c:2544 start_creating.part.0+0x62/0x160 fs/tracefs/inode.c:336 start_creating fs/debugfs/inode.c:301 [inline] __debugfs_create_file+0xb8/0x4e0 fs/debugfs/inode.c:352 do_blk_trace_setup+0x3a5/0xc30 kernel/trace/blktrace.c:542 __blk_trace_setup+0xca/0x180 kernel/trace/blktrace.c:591 blk_trace_ioctl+0x155/0x290 kernel/trace/blktrace.c:732 blkdev_ioctl+0x112/0x1a7e block/ioctl.c:587 block_ioctl+0xe9/0x130 fs/block_dev.c:1896 vfs_ioctl fs/ioctl.c:46 [inline] file_ioctl fs/ioctl.c:501 [inline] do_vfs_ioctl+0xcdb/0x12e0 fs/ioctl.c:688 ksys_ioctl+0x9b/0xc0 fs/ioctl.c:705 __do_sys_ioctl fs/ioctl.c:712 [inline] __se_sys_ioctl fs/ioctl.c:710 [inline] __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:710 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 18: __cache_free mm/slab.c:3503 [inline] kmem_cache_free+0x7f/0x260 mm/slab.c:3765 __rcu_reclaim kernel/rcu/rcu.h:236 [inline] rcu_do_batch kernel/rcu/tree.c:2584 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:2897 [inline] __rcu_process_callbacks kernel/rcu/tree.c:2864 [inline] rcu_process_callbacks+0x8ff/0x18b0 kernel/rcu/tree.c:2881 __do_softirq+0x26c/0x9a0 kernel/softirq.c:292 The buggy address belongs to the object at ffff88808379c8c0 which belongs to the cache dentry of size 288 The buggy address is located 64 bytes inside of 288-byte region [ffff88808379c8c0, ffff88808379c9e0) The buggy address belongs to the page: page:ffffea00020de700 count:1 mapcount:0 mapping:ffff88821bc44c80 index:0xffff88808379c4a0 flags: 0xfffe0000000100(slab) raw: 00fffe0000000100 ffffea00020de748 ffffea00020bf248 ffff88821bc44c80 raw: ffff88808379c4a0 ffff88808379c080 0000000100000007 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88808379c800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88808379c880: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb >ffff88808379c900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88808379c980: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ffff88808379ca00: fc fc fc fc 00 00 00 00 00 00 00 00 00 00 00 00 ================================================================== blktrace: Concurrent blktraces are not allowed on loop0

Crashes (15):
Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	Manager
2020/09/01 23:20	linux-4.19.y	f6d5cb9e2c06	abf9ba4f	.config	console log	report	syz	C	ci2-linux-4-19
2020/09/01 10:09	linux-4.19.y	f6d5cb9e2c06	d5a3ae1f	.config	console log	report	syz	C	ci2-linux-4-19
2020/03/04 14:47	linux-4.19.y	a083db76118d	712198ac	.config	console log	report	syz	C	ci2-linux-4-19
2019/11/05 20:37	linux-4.19.y	ef244c308885	af5c522d	.config	console log	report	syz	C	ci2-linux-4-19
2019/07/22 04:47	linux-4.19.y	be9b6782a9eb	1656845f	.config	console log	report	syz	C	ci2-linux-4-19
2019/06/23 17:43	linux-4.19.y	78778071092e	3efccdd2	.config	console log	report	syz	C	ci2-linux-4-19
2020/07/31 18:57	linux-4.19.y	13af6c74b14a	8df85ed9	.config	console log	report			ci2-linux-4-19
2020/07/06 08:13	linux-4.19.y	399849e4654e	ac5a135b	.config	console log	report			ci2-linux-4-19
2020/03/18 18:15	linux-4.19.y	93556fb211fa	0a96a13c	.config	console log	report			ci2-linux-4-19
2020/01/18 13:29	linux-4.19.y	dc4ba5be1bab	3de7aabb	.config	console log	report			ci2-linux-4-19
2020/01/14 11:14	linux-4.19.y	dcd888983542	32881205	.config	console log	report			ci2-linux-4-19
2019/09/16 11:11	linux-4.19.y	db2d0b7c1dde	55c50e70	.config	console log	report			ci2-linux-4-19
2019/08/16 09:22	linux-4.19.y	a5aa80588fcd	8fd428a1	.config	console log	report			ci2-linux-4-19
2019/07/26 01:41	linux-4.19.y	be9b6782a9eb	732bc5a0	.config	console log	report			ci2-linux-4-19
2019/06/23 13:50	linux-4.19.y	78778071092e	3efccdd2	.config	console log	report			ci2-linux-4-19

Crashes (15):

Assets (help?)

2020/09/01 23:20

linux-4.19.y