syzbot


KASAN: use-after-free Read in io_poll_remove_entries

Status: upstream: reported C repro on 2022/03/22 08:52
Reported-by: syzbot+cd301bb6523ea8cc8ca2@syzkaller.appspotmail.com
First crash: 195d, last: 57d

Cause bisection: introduced by (bisect log) :
commit 91eac1c69c202d9dad8bf717ae5b92db70bfe5cf
Author: Jens Axboe <axboe@kernel.dk>
Date: Wed Mar 16 22:59:10 2022 +0000

  io_uring: cache poll/double-poll state with a request flag

Crash: KASAN: use-after-free Read in tty_release (log)
Repro: C syz .config
Patch testing requests:
Created Duration User Patch Repo Result
2022/03/23 01:22 12m axboe@kernel.dk git://git.kernel.dk/linux-block for-5.18/io_uring OK

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in __lock_acquire+0x3ab9/0x5660 kernel/locking/lockdep.c:4923
Read of size 8 at addr ffff88807b7a93b8 by task syz-executor404/4110

CPU: 0 PID: 4110 Comm: syz-executor404 Not tainted 5.18.0-syzkaller-11972-gd1dc87763f40 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
 print_address_description.constprop.0.cold+0xeb/0x495 mm/kasan/report.c:313
 print_report mm/kasan/report.c:429 [inline]
 kasan_report.cold+0xf4/0x1c6 mm/kasan/report.c:491
 __lock_acquire+0x3ab9/0x5660 kernel/locking/lockdep.c:4923
 lock_acquire kernel/locking/lockdep.c:5665 [inline]
 lock_acquire+0x1ab/0x570 kernel/locking/lockdep.c:5630
 __raw_spin_lock_irq include/linux/spinlock_api_smp.h:119 [inline]
 _raw_spin_lock_irq+0x32/0x50 kernel/locking/spinlock.c:170
 spin_lock_irq include/linux/spinlock.h:374 [inline]
 io_poll_remove_entry fs/io_uring.c:6840 [inline]
 io_poll_remove_entries.part.0+0x15f/0x7e0 fs/io_uring.c:6873
 io_poll_remove_entries fs/io_uring.c:6853 [inline]
 io_apoll_task_func+0xbd/0x230 fs/io_uring.c:6989
 handle_tw_list fs/io_uring.c:2938 [inline]
 tctx_task_work+0x16a/0xe10 fs/io_uring.c:2967
 task_work_run+0xdd/0x1a0 kernel/task_work.c:177
 exit_task_work include/linux/task_work.h:38 [inline]
 do_exit+0xaff/0x2a00 kernel/exit.c:795
 do_group_exit+0xd2/0x2f0 kernel/exit.c:925
 __do_sys_exit_group kernel/exit.c:936 [inline]
 __se_sys_exit_group kernel/exit.c:934 [inline]
 __x64_sys_exit_group+0x3a/0x50 kernel/exit.c:934
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x46/0xb0
RIP: 0033:0x7fd1eaa3a689
Code: Unable to access opcode bytes at RIP 0x7fd1eaa3a65f.
RSP: 002b:00007ffe67b8b7a8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 00007fd1eaaae330 RCX: 00007fd1eaa3a689
RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000
RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fd1eaaae330
R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001
 </TASK>

Allocated by task 4110:
 kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
 kasan_set_track mm/kasan/common.c:45 [inline]
 set_alloc_info mm/kasan/common.c:436 [inline]
 ____kasan_kmalloc mm/kasan/common.c:515 [inline]
 ____kasan_kmalloc mm/kasan/common.c:474 [inline]
 __kasan_kmalloc+0xa9/0xd0 mm/kasan/common.c:524
 io_ring_ctx_alloc fs/io_uring.c:1838 [inline]
 io_uring_create fs/io_uring.c:12396 [inline]
 io_uring_setup.cold+0x12e/0x27fc fs/io_uring.c:12535
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x46/0xb0

Freed by task 3650:
 kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
 kasan_set_track+0x21/0x30 mm/kasan/common.c:45
 kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:370
 ____kasan_slab_free mm/kasan/common.c:366 [inline]
 ____kasan_slab_free+0x166/0x1a0 mm/kasan/common.c:328
 kasan_slab_free include/linux/kasan.h:200 [inline]
 slab_free_hook mm/slub.c:1727 [inline]
 slab_free_freelist_hook+0x8b/0x1c0 mm/slub.c:1753
 slab_free mm/slub.c:3507 [inline]
 kfree+0xd6/0x4d0 mm/slub.c:4555
 io_ring_ctx_free fs/io_uring.c:11159 [inline]
 io_ring_exit_work+0xe29/0xe74 fs/io_uring.c:11303
 process_one_work+0x996/0x1610 kernel/workqueue.c:2289
 worker_thread+0x665/0x1080 kernel/workqueue.c:2436
 kthread+0x2e9/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302

Last potentially related work creation:
 kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
 __kasan_record_aux_stack+0xbe/0xd0 mm/kasan/generic.c:348
 insert_work+0x48/0x350 kernel/workqueue.c:1358
 __queue_work+0x62e/0x1140 kernel/workqueue.c:1517
 queue_work_on+0xee/0x110 kernel/workqueue.c:1545
 queue_work include/linux/workqueue.h:502 [inline]
 io_ring_ctx_wait_and_kill+0x327/0x360 fs/io_uring.c:11357
 io_uring_release+0x42/0x46 fs/io_uring.c:11365
 __fput+0x277/0x9d0 fs/file_table.c:317
 task_work_run+0xdd/0x1a0 kernel/task_work.c:177
 exit_task_work include/linux/task_work.h:38 [inline]
 do_exit+0xaff/0x2a00 kernel/exit.c:795
 do_group_exit+0xd2/0x2f0 kernel/exit.c:925
 __do_sys_exit_group kernel/exit.c:936 [inline]
 __se_sys_exit_group kernel/exit.c:934 [inline]
 __x64_sys_exit_group+0x3a/0x50 kernel/exit.c:934
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x46/0xb0

The buggy address belongs to the object at ffff88807b7a9000
 which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 952 bytes inside of
 2048-byte region [ffff88807b7a9000, ffff88807b7a9800)

The buggy address belongs to the physical page:
page:ffffea0001edea00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7b7a8
head:ffffea0001edea00 order:3 compound_mapcount:0 compound_pincount:0
flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000010200 0000000000000000 dead000000000122 ffff888010c42000
raw: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 4110, tgid 4110 (syz-executor404), ts 76147822933, free_ts 76137859535
 prep_new_page mm/page_alloc.c:2456 [inline]
 get_page_from_freelist+0x1290/0x3b70 mm/page_alloc.c:4198
 __alloc_pages+0x1c7/0x510 mm/page_alloc.c:5426
 alloc_pages+0x1aa/0x310 mm/mempolicy.c:2272
 alloc_slab_page mm/slub.c:1797 [inline]
 allocate_slab+0x26c/0x3c0 mm/slub.c:1942
 new_slab mm/slub.c:2002 [inline]
 ___slab_alloc+0x985/0xd90 mm/slub.c:3002
 __slab_alloc.constprop.0+0x4d/0xa0 mm/slub.c:3089
 slab_alloc_node mm/slub.c:3180 [inline]
 slab_alloc mm/slub.c:3222 [inline]
 __kmalloc+0x318/0x350 mm/slub.c:4413
 io_ring_ctx_alloc fs/io_uring.c:1838 [inline]
 io_uring_create fs/io_uring.c:12396 [inline]
 io_uring_setup.cold+0x12e/0x27fc fs/io_uring.c:12535
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x46/0xb0
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1371 [inline]
 free_pcp_prepare+0x549/0xd20 mm/page_alloc.c:1421
 free_unref_page_prepare mm/page_alloc.c:3343 [inline]
 free_unref_page+0x19/0x6a0 mm/page_alloc.c:3438
 __unfreeze_partials+0x17c/0x1a0 mm/slub.c:2521
 qlink_free mm/kasan/quarantine.c:168 [inline]
 qlist_free_all+0x6a/0x170 mm/kasan/quarantine.c:187
 kasan_quarantine_reduce+0x180/0x200 mm/kasan/quarantine.c:294
 __kasan_slab_alloc+0xa2/0xc0 mm/kasan/common.c:446
 kasan_slab_alloc include/linux/kasan.h:224 [inline]
 slab_post_alloc_hook mm/slab.h:750 [inline]
 slab_alloc_node mm/slub.c:3214 [inline]
 slab_alloc mm/slub.c:3222 [inline]
 __kmem_cache_alloc_lru mm/slub.c:3229 [inline]
 kmem_cache_alloc+0x204/0x3b0 mm/slub.c:3239
 vm_area_alloc+0x1c/0x110 kernel/fork.c:459
 mmap_region+0x96e/0x1460 mm/mmap.c:1776
 do_mmap+0x863/0xfa0 mm/mmap.c:1587
 vm_mmap_pgoff+0x1b7/0x290 mm/util.c:552
 ksys_mmap_pgoff+0x40d/0x5a0 mm/mmap.c:1633
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x46/0xb0

Memory state around the buggy address:
 ffff88807b7a9280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88807b7a9300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88807b7a9380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                        ^
 ffff88807b7a9400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88807b7a9480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (357):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-upstream-kasan-gce 2022/06/02 22:19 upstream d1dc87763f40 5783034f .config log report syz C KASAN: use-after-free Read in io_poll_remove_entries
ci-upstream-kasan-gce 2022/04/18 23:51 upstream b2d229d4ddb1 8bcc32a6 .config log report syz C KASAN: use-after-free Read in io_poll_remove_entries
ci-upstream-kasan-gce-root 2022/04/18 23:25 upstream b2d229d4ddb1 8bcc32a6 .config log report syz C KASAN: use-after-free Read in io_poll_remove_entries
ci-upstream-kasan-gce-smack-root 2022/03/23 01:20 upstream b47d5a4f6b8d d88ef0c5 .config log report syz C KASAN: use-after-free Read in io_poll_remove_entries
ci-upstream-kasan-gce 2022/06/04 00:17 upstream 50fd82b3a9a9 eee80d3c .config log report info KASAN: use-after-free Read in io_poll_remove_entries
ci-upstream-kasan-gce 2022/06/03 20:49 upstream 50fd82b3a9a9 eee80d3c .config log report info KASAN: use-after-free Read in io_poll_remove_entries
ci-upstream-kasan-gce 2022/06/03 12:11 upstream 50fd82b3a9a9 02dddea8 .config log report info KASAN: use-after-free Read in io_poll_remove_entries
ci-upstream-kasan-gce 2022/06/03 09:34 upstream 50fd82b3a9a9 02dddea8 .config log report info KASAN: use-after-free Read in io_poll_remove_entries
ci-upstream-kasan-gce-root 2022/06/03 07:59 upstream 50fd82b3a9a9 02dddea8 .config log report info KASAN: use-after-free Read in io_poll_remove_entries
ci-upstream-kasan-gce-selinux-root 2022/06/02 19:35 upstream d1dc87763f40 5783034f .config log report info KASAN: use-after-free Read in io_poll_remove_entries
ci-upstream-kasan-gce-root 2022/06/02 07:14 upstream 8171acb8bc9b b4bc6a3d .config log report info KASAN: use-after-free Read in io_poll_remove_entries
ci-upstream-kasan-gce 2022/05/31 19:00 upstream 8ab2afa23bd1 af70c3a9 .config log report info KASAN: use-after-free Read in io_poll_remove_entries
ci-upstream-kasan-gce-root 2022/05/31 05:35 upstream 2c5ca23f7414 af70c3a9 .config log report info KASAN: use-after-free Read in io_poll_remove_entries
ci-upstream-kasan-gce 2022/05/30 18:38 upstream b00ed48bb0a7 af70c3a9 .config log report info KASAN: use-after-free Read in io_poll_remove_entries
ci-upstream-kasan-gce-selinux-root 2022/05/30 13:16 upstream b00ed48bb0a7 a46af346 .config log report info KASAN: use-after-free Read in io_poll_remove_entries
ci-upstream-kasan-gce-root 2022/05/30 07:13 upstream b00ed48bb0a7 a46af346 .config log report info KASAN: use-after-free Read in io_poll_remove_entries
ci-upstream-kasan-gce-root 2022/05/29 01:13 upstream 9d004b2f4fea a46af346 .config log report info KASAN: use-after-free Read in io_poll_remove_entries
ci-upstream-kasan-gce 2022/05/29 00:08 upstream 9d004b2f4fea a46af346 .config log report info KASAN: use-after-free Read in io_poll_remove_entries
ci-upstream-kasan-gce 2022/05/28 17:04 upstream 9d004b2f4fea a46af346 .config log report info KASAN: use-after-free Read in io_poll_remove_entries
ci-upstream-kasan-gce 2022/05/28 06:15 upstream 8291eaafed36 a46af346 .config log report info KASAN: use-after-free Read in io_poll_remove_entries
ci-upstream-kasan-gce-smack-root 2022/05/27 23:36 upstream 8291eaafed36 a46af346 .config log report info KASAN: use-after-free Read in io_poll_remove_entries
ci-upstream-kasan-gce 2022/05/27 04:12 upstream babf0bb978e3 3037caa9 .config log report info KASAN: use-after-free Read in io_poll_remove_entries
ci-upstream-kasan-gce 2022/05/25 20:18 upstream fdaf9a5840ac 647c0e27 .config log report info KASAN: use-after-free Read in io_poll_remove_entries
ci-upstream-kasan-gce 2022/05/25 19:12 upstream fdaf9a5840ac 647c0e27 .config log report info KASAN: use-after-free Read in io_poll_remove_entries
ci-upstream-kasan-gce 2022/05/25 05:05 upstream aa051d36ce4a 647c0e27 .config log report info KASAN: use-after-free Read in io_poll_remove_entries
ci-upstream-kasan-gce 2022/05/24 09:59 upstream 1e57930e9f40 e7f9308d .config log report info KASAN: use-after-free Read in io_poll_remove_entries
ci-upstream-kasan-gce-selinux-root 2022/05/23 19:10 upstream 4b0986a3613c 4c7657cb .config log report info KASAN: use-after-free Read in io_poll_remove_entries
ci-upstream-kasan-gce 2022/05/23 15:41 upstream 4b0986a3613c 4c7657cb .config log report info KASAN: use-after-free Read in io_poll_remove_entries
ci-upstream-kasan-gce 2022/05/23 05:00 upstream 4b0986a3613c 7268fa62 .config log report info KASAN: use-after-free Read in io_poll_remove_entries
ci-upstream-kasan-gce-selinux-root 2022/05/23 00:34 upstream eaea45fc0e7b 7268fa62 .config log report info KASAN: use-after-free Read in io_poll_remove_entries
ci-upstream-kasan-gce 2022/05/22 19:08 upstream eaea45fc0e7b 7268fa62 .config log report info KASAN: use-after-free Read in io_poll_remove_entries
ci-upstream-kasan-gce 2022/05/22 17:29 upstream eaea45fc0e7b 7268fa62 .config log report info KASAN: use-after-free Read in io_poll_remove_entries
ci-upstream-kasan-gce 2022/05/22 02:50 upstream 6c3f5bec9b40 7268fa62 .config log report info KASAN: use-after-free Read in io_poll_remove_entries
ci-upstream-kasan-gce-root 2022/05/21 16:35 upstream 3b5e1590a267 7268fa62 .config log report info KASAN: use-after-free Read in io_poll_remove_entries
ci-upstream-kasan-gce-selinux-root 2022/05/21 15:32 upstream 3b5e1590a267 7268fa62 .config log report info KASAN: use-after-free Read in io_poll_remove_entries
ci-upstream-kasan-gce 2022/05/21 10:07 upstream 3b5e1590a267 7268fa62 .config log report info KASAN: use-after-free Read in io_poll_remove_entries
ci-upstream-kasan-gce 2022/05/20 06:28 upstream b015dcd62b86 cb1ac2e7 .config log report info KASAN: use-after-free Read in io_poll_remove_entries
ci-upstream-kasan-gce-selinux-root 2022/05/19 14:56 upstream f993aed406ea 50c53f39 .config log report info KASAN: use-after-free Read in io_poll_remove_entries
ci-upstream-kasan-gce 2022/05/19 09:38 upstream f993aed406ea 50c53f39 .config log report info KASAN: use-after-free Read in io_poll_remove_entries
ci-upstream-kasan-gce-selinux-root 2022/03/22 06:18 upstream 8565d64430f8 e2d91b1d .config log report info KASAN: use-after-free Read in io_poll_remove_entries
ci-upstream-kasan-gce-386 2022/05/27 12:47 upstream 7e284070abe5 116e7a7b .config log report info KASAN: use-after-free Read in io_poll_remove_entries
ci-upstream-kasan-gce-386 2022/05/19 23:45 upstream b015dcd62b86 cb1ac2e7 .config log report info KASAN: use-after-free Read in io_poll_remove_entries
ci-upstream-linux-next-kasan-gce-root 2022/08/07 10:26 linux-next cb71b93c2dc3 88e3a122 .config log report info KASAN: use-after-free Read in io_poll_remove_entries
ci-upstream-linux-next-kasan-gce-root 2022/07/13 03:15 linux-next cb71b93c2dc3 d91dd8ea .config log report info KASAN: use-after-free Read in io_poll_remove_entries
ci-upstream-linux-next-kasan-gce-root 2022/07/11 18:23 linux-next cb71b93c2dc3 da3d6955 .config log report info KASAN: use-after-free Read in io_poll_remove_entries
ci-upstream-linux-next-kasan-gce-root 2022/07/05 00:13 linux-next cb71b93c2dc3 bff65f44 .config log report info KASAN: use-after-free Read in io_poll_remove_entries
ci-upstream-linux-next-kasan-gce-root 2022/06/25 00:16 linux-next 2f9cb3d3bd73 a5dbd430 .config log report info KASAN: use-after-free Read in io_poll_remove_entries
ci-upstream-linux-next-kasan-gce-root 2022/06/03 02:09 linux-next 5d8e7e3bbaaf 5783034f .config log report info KASAN: use-after-free Read in io_poll_remove_entries
ci-upstream-linux-next-kasan-gce-root 2022/06/01 02:44 linux-next 3b46e4e44180 3666edfe .config log report info KASAN: use-after-free Read in io_poll_remove_entries
ci-upstream-linux-next-kasan-gce-root 2022/05/31 02:49 linux-next d3fde8ff50ab af70c3a9 .config log report info KASAN: use-after-free Read in io_poll_remove_entries
ci-upstream-linux-next-kasan-gce-root 2022/05/30 05:29 linux-next d3fde8ff50ab a46af346 .config log report info KASAN: use-after-free Read in io_poll_remove_entries
ci-upstream-linux-next-kasan-gce-root 2022/05/28 20:08 linux-next d3fde8ff50ab a46af346 .config log report info KASAN: use-after-free Read in io_poll_remove_entries
ci-upstream-linux-next-kasan-gce-root 2022/05/26 18:55 linux-next b1d84fc09a96 3037caa9 .config log report info KASAN: use-after-free Read in io_poll_remove_entries
ci-upstream-linux-next-kasan-gce-root 2022/05/23 08:46 linux-next 18ecd30af1a8 7268fa62 .config log report info KASAN: use-after-free Read in io_poll_remove_entries
ci-upstream-linux-next-kasan-gce-root 2022/05/22 08:12 linux-next 18ecd30af1a8 7268fa62 .config log report info KASAN: use-after-free Read in io_poll_remove_entries
ci-upstream-linux-next-kasan-gce-root 2022/05/21 00:47 linux-next 18ecd30af1a8 bd37ad7e .config log report info KASAN: use-after-free Read in io_poll_remove_entries
ci-upstream-linux-next-kasan-gce-root 2022/05/19 11:02 linux-next 3f7bdc402fb0 50c53f39 .config log report info KASAN: use-after-free Read in io_poll_remove_entries
ci-upstream-kasan-gce 2022/04/10 16:19 upstream e1f700ebd6be e22c3da3 .config log report info KFENCE: use-after-free in io_poll_remove_entries
ci-upstream-kasan-gce-386 2022/04/01 13:45 upstream e8b767f5e040 20955a24 .config log report info BUG: corrupted list in io_poll_remove_entries
* Struck through repros no longer work on HEAD.