syzbot


KASAN: use-after-free Read in relay_switch_subbuf

Status: upstream: reported C repro on 2019/11/05 17:36
Reported-by: syzbot+3905118b6e6567443ca7@syzkaller.appspotmail.com
First crash: 1191d, last: 148d

Cause bisection: the issue happens on the oldest tested release (bisect log)
Crash: no output from test machine (log)
Repro: C syz .config

Fix bisection: fixed by (bisect log) [release commit]:
commit c196b3a9c83ae3491280b739d231d02b3cb9d041
Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Wed Dec 2 07:34:45 2020 +0000

  Linux 4.14.210

similar bugs (3):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: use-after-free Read in relay_switch_subbuf C done error 93 102d 1596d 0/24 upstream: reported C repro on 2018/09/26 07:41
linux-4.19 KASAN: use-after-free Read in relay_switch_subbuf 10 957d 1381d 0/1 auto-closed as invalid on 2020/10/24 01:02
linux-4.19 KASAN: use-after-free Read in relay_switch_subbuf (2) 22 11d 478d 0/1 upstream: reported on 2021/10/17 18:33

Sample crash report:
devpts: called with bogus options
devpts: called with bogus options
relay: one or more items not logged [item size (56) > sub-buffer size (9)]
devpts: called with bogus options
==================================================================
BUG: KASAN: use-after-free in relay_switch_subbuf+0x87c/0x8e0 kernel/relay.c:754
Read of size 8 at addr ffff88809a3d6778 by task kworker/0:2/2601

CPU: 0 PID: 2601 Comm: kworker/0:2 Not tainted 4.14.151 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events __blk_release_queue
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x138/0x197 lib/dump_stack.c:53
 print_address_description.cold+0x7c/0x1dc mm/kasan/report.c:252
 kasan_report_error mm/kasan/report.c:351 [inline]
 kasan_report mm/kasan/report.c:409 [inline]
 kasan_report.cold+0xa9/0x2af mm/kasan/report.c:393
 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:430
 relay_switch_subbuf+0x87c/0x8e0 kernel/relay.c:754
 relay_flush kernel/relay.c:882 [inline]
 relay_flush+0x1ae/0x270 kernel/relay.c:866
 blk_trace_startstop+0x203/0x5c0 kernel/trace/blktrace.c:657
 blk_trace_shutdown+0x47/0x60 kernel/trace/blktrace.c:727
 __blk_release_queue+0x22e/0x4d0 block/blk-sysfs.c:830
 process_one_work+0x863/0x1600 kernel/workqueue.c:2114
 worker_thread+0x5d9/0x1050 kernel/workqueue.c:2248
 kthread+0x319/0x430 kernel/kthread.c:232
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404

Allocated by task 6850:
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
 save_stack+0x45/0xd0 mm/kasan/kasan.c:447
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_kmalloc mm/kasan/kasan.c:551 [inline]
 kasan_kmalloc+0xce/0xf0 mm/kasan/kasan.c:529
 kasan_slab_alloc+0xf/0x20 mm/kasan/kasan.c:489
 kmem_cache_alloc+0x12e/0x780 mm/slab.c:3552
 __d_alloc+0x2d/0x9f0 fs/dcache.c:1623
 d_alloc+0x4d/0x270 fs/dcache.c:1710
 __lookup_hash fs/namei.c:1570 [inline]
 __lookup_hash+0x58/0x180 fs/namei.c:1562
 lookup_one_len+0x27b/0x3a0 fs/namei.c:2538
 start_creating fs/debugfs/inode.c:314 [inline]
 start_creating+0xa6/0x1b0 fs/debugfs/inode.c:290
 __debugfs_create_file+0x53/0x3d0 fs/debugfs/inode.c:353
 debugfs_create_file+0x5a/0x70 fs/debugfs/inode.c:404
 blk_create_buf_file_callback+0x33/0x40 kernel/trace/blktrace.c:445
 relay_create_buf_file+0xf1/0x160 kernel/relay.c:427
 relay_open_buf.part.0+0x6a9/0x9e0 kernel/relay.c:456
 relay_open_buf kernel/relay.c:448 [inline]
 relay_open kernel/relay.c:598 [inline]
 relay_open+0x4e7/0x920 kernel/relay.c:562
 do_blk_trace_setup+0x3ca/0xb10 kernel/trace/blktrace.c:533
 blk_trace_setup+0xbd/0x140 kernel/trace/blktrace.c:579
 blk_trace_ioctl+0x147/0x270 kernel/trace/blktrace.c:694
 blkdev_ioctl+0x100/0x1860 block/ioctl.c:580
 block_ioctl+0xde/0x120 fs/block_dev.c:1881
 vfs_ioctl fs/ioctl.c:46 [inline]
 file_ioctl fs/ioctl.c:500 [inline]
 do_vfs_ioctl+0x7ae/0x1060 fs/ioctl.c:684
 SYSC_ioctl fs/ioctl.c:701 [inline]
 SyS_ioctl+0x8f/0xc0 fs/ioctl.c:692
 do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x42/0xb7

Freed by task 7:
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
 save_stack+0x45/0xd0 mm/kasan/kasan.c:447
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_slab_free+0x75/0xc0 mm/kasan/kasan.c:524
 __cache_free mm/slab.c:3496 [inline]
 kmem_cache_free+0x83/0x2b0 mm/slab.c:3758
 __d_free+0x20/0x30 fs/dcache.c:270
 __rcu_reclaim kernel/rcu/rcu.h:195 [inline]
 rcu_do_batch kernel/rcu/tree.c:2699 [inline]
 invoke_rcu_callbacks kernel/rcu/tree.c:2962 [inline]
 __rcu_process_callbacks kernel/rcu/tree.c:2929 [inline]
 rcu_process_callbacks+0x7b8/0x12b0 kernel/rcu/tree.c:2946
 __do_softirq+0x244/0x9a0 kernel/softirq.c:288

The buggy address belongs to the object at ffff88809a3d6720
 which belongs to the cache dentry of size 288
The buggy address is located 88 bytes inside of
 288-byte region [ffff88809a3d6720, ffff88809a3d6840)
The buggy address belongs to the page:
page:ffffea000268f580 count:1 mapcount:0 mapping:ffff88809a3d6040 index:0xffff88809a3d6300
flags: 0x1fffc0000000100(slab)
raw: 01fffc0000000100 ffff88809a3d6040 ffff88809a3d6300 0000000100000008
raw: ffffea000251b0a0 ffffea000251a9e0 ffff88821f8b5680 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88809a3d6600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88809a3d6680: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
>ffff88809a3d6700: fc fc fc fc fb fb fb fb fb fb fb fb fb fb fb fb
                                                                ^
 ffff88809a3d6780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88809a3d6800: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
==================================================================

Crashes (5):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets Title
ci2-linux-4-14 2019/11/05 19:01 linux-4.14.y ddef1e8e3f6e af5c522d .config console log report syz C
ci2-linux-4-14 2022/09/12 16:47 linux-4.14.y 65640c873dcf f371ed7e .config console log report info [disk image] [vmlinux] KASAN: use-after-free Read in relay_switch_subbuf
ci2-linux-4-14 2020/07/11 02:33 linux-4.14.y b850307b279c 18d18b59 .config console log report
ci2-linux-4-14 2019/11/21 05:55 linux-4.14.y f56f3d0e65ad 8098ea0f .config console log report
ci2-linux-4-14 2019/11/05 16:36 linux-4.14.y ddef1e8e3f6e af5c522d .config console log report
* Struck through repros no longer work on HEAD.