syzbot


KASAN: use-after-free Write in udf_close_lvid

Status: upstream: reported C repro on 2022/05/24 00:17
Labels: udf (incorrect?)
Reported-by: syzbot+60864ed35b1073540d57@syzkaller.appspotmail.com
First crash: 383d, last: 8d16h

Cause bisection: introduced by (bisect log) :
commit 781d2a9a2fc7d0be53a072794dc03ef6de770f3d
Author: Jan Kara <jack@suse.cz>
Date: Mon May 3 09:39:03 2021 +0000

  udf: Check LVID earlier

Crash: KASAN: slab-out-of-bounds Write in udf_close_lvid (log)
Repro: C syz .config
Discussions (4)
Title Replies (including bot) Last reply
[syzbot] Monthly udf report (Jun 2023) 0 (1) 2023/06/07 09:22
[syzbot] Monthly udf report (May 2023) 0 (1) 2023/05/06 08:19
[syzbot] Monthly udf report 0 (1) 2023/04/05 08:52
[syzbot] KASAN: use-after-free Write in udf_close_lvid 4 (5) 2022/05/24 14:43
Similar bugs (4)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.19 KASAN: use-after-free Write in udf_close_lvid udf C error 5 121d 536d 0/1 upstream: reported C repro on 2021/12/21 15:22
linux-4.14 KASAN: use-after-free Write in udf_close_lvid udf C 4 122d 185d 0/1 upstream: reported C repro on 2022/12/07 21:30
linux-5.15 KASAN: use-after-free Write in udf_close_lvid origin:upstream C 5 2d00h 18d 0/3 upstream: reported C repro on 2023/05/23 16:31
linux-6.1 BUG: unable to handle kernel paging request in udf_close_lvid origin:upstream C 2 12d 70d 0/3 upstream: reported C repro on 2023/04/01 11:57
Last patch testing requests (3)
Created Duration User Patch Repo Result
2022/05/28 07:34 17m hdanton@sina.com patch https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git 97fa5887cf28 OK
2022/05/24 07:31 15m hdanton@sina.com patch upstream report log
2022/05/24 04:48 4m hdanton@sina.com patch upstream error
Fix bisection attempts (4)
Created Duration User Patch Repo Result
2022/10/12 17:52 38m (2) bisect fix upstream job log (0) log
2022/08/25 13:10 39m bisect fix upstream job log (0) log
2022/07/26 03:43 34m bisect fix upstream job log (0) log
2022/06/25 20:17 34m bisect fix upstream job log (0) log

Sample crash report:
=======================================================
UDF-fs: error (device loop0): udf_read_tagged: tag checksum failed, block 99: 0x27 != 0x4d
UDF-fs: INFO Mounting volume 'LinuxUDF', timestamp 2022/11/22 14:59 (1000)
==================================================================
BUG: KASAN: use-after-free in udf_close_lvid+0x6a8/0x9a0 fs/udf/super.c:2039
Write of size 1 at addr ffff8880b019f980 by task syz-executor206/4994

CPU: 0 PID: 4994 Comm: syz-executor206 Not tainted 6.4.0-rc1-syzkaller-00025-gd295b66a7b66 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:351 [inline]
 print_report+0x163/0x540 mm/kasan/report.c:462
 kasan_report+0x176/0x1b0 mm/kasan/report.c:572
 udf_close_lvid+0x6a8/0x9a0 fs/udf/super.c:2039
 udf_put_super+0xcd/0x160 fs/udf/super.c:2326
 generic_shutdown_super+0x134/0x340 fs/super.c:500
 kill_block_super+0x84/0xf0 fs/super.c:1407
 deactivate_locked_super+0xa4/0x110 fs/super.c:331
 cleanup_mnt+0x426/0x4c0 fs/namespace.c:1177
 task_work_run+0x24a/0x300 kernel/task_work.c:179
 exit_task_work include/linux/task_work.h:38 [inline]
 do_exit+0x68f/0x2290 kernel/exit.c:871
 do_group_exit+0x206/0x2c0 kernel/exit.c:1021
 __do_sys_exit_group kernel/exit.c:1032 [inline]
 __se_sys_exit_group kernel/exit.c:1030 [inline]
 __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1030
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7fb01ec32be9
Code: Unable to access opcode bytes at 0x7fb01ec32bbf.
RSP: 002b:00007ffde2274a68 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 00007fb01ecc7330 RCX: 00007fb01ec32be9
RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001
RBP: 0000000000000001 R08: ffffffffffffffc0 R09: 0000000000000000
R10: 0000000000000022 R11: 0000000000000246 R12: 00007fb01ecc7330
R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001
 </TASK>

The buggy address belongs to the physical page:
page:ffffea0002c067c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xb019f
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000000 ffffea0002c067c8 ffffea0002c067c8 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner info is not present (never set?)

Memory state around the buggy address:
 ffff8880b019f880: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff8880b019f900: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff8880b019f980: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                   ^
 ffff8880b019fa00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff8880b019fa80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================

Crashes (46):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets Manager Title
2023/05/11 13:30 upstream d295b66a7b66 0fbd49f4 .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro #1] [mounted in repro #2] ci2-upstream-fs KASAN: use-after-free Write in udf_close_lvid
2023/04/29 18:40 upstream 89d77f71f493 62df2017 .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro #1] [mounted in repro #2] ci2-upstream-fs KASAN: use-after-free Write in udf_close_lvid
2023/02/09 13:11 upstream 0983f6bf2bfc 14a312c8 .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-upstream-fs KASAN: use-after-free Write in udf_close_lvid
2022/12/16 18:22 upstream 84e57d292203 79e1d513 .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci-upstream-kasan-gce-root KASAN: use-after-free Write in udf_close_lvid
2022/11/29 04:59 upstream b7b275e60bcd ca9683b8 .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-upstream-fs KASAN: use-after-free Write in udf_close_lvid
2022/05/23 17:07 upstream 4b0986a3613c 4c7657cb .config console log report syz C ci-upstream-kasan-gce-smack-root KASAN: use-after-free Write in udf_close_lvid
2023/05/31 08:05 linux-next 715abedee4cd 09898419 .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci-upstream-linux-next-kasan-gce-root KASAN: use-after-free Write in udf_close_lvid
2023/01/21 03:59 linux-next d514392f17fd 559a440a .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci-upstream-linux-next-kasan-gce-root KASAN: use-after-free Write in udf_close_lvid
2023/06/02 05:41 upstream 1874a42a7d74 a4ae4f42 .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro #1] [mounted in repro #2] ci-upstream-kasan-gce-root BUG: unable to handle kernel paging request in udf_close_lvid
2023/05/30 10:26 upstream 8b817fded42d cf184559 .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro #1] [mounted in repro #2] ci2-upstream-fs BUG: unable to handle kernel paging request in udf_close_lvid
2023/05/28 16:41 upstream 416839029e38 cf184559 .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro #1] [mounted in repro #2] ci2-upstream-fs BUG: unable to handle kernel paging request in udf_close_lvid
2023/05/24 16:28 upstream 9d646009f65d 4bce1a3e .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro #1] [mounted in repro #2] ci2-upstream-fs BUG: unable to handle kernel paging request in udf_close_lvid
2023/05/03 22:52 upstream 348551ddaf31 b5918830 .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro #1] [mounted in repro #2] ci2-upstream-fs BUG: unable to handle kernel paging request in udf_close_lvid
2023/03/13 11:38 upstream eeac8ede1755 5205ef30 .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro #1] [mounted in repro #2] ci2-upstream-fs BUG: unable to handle kernel paging request in udf_close_lvid
2023/01/02 17:48 upstream 88603b6dc419 ab32d508 .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-upstream-fs BUG: unable to handle kernel paging request in udf_close_lvid
2022/12/30 04:23 upstream 2258c2dc850b 44712fbc .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-upstream-fs BUG: unable to handle kernel paging request in udf_close_lvid
2022/12/02 07:49 upstream ef4d3ea40565 e080de16 .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-upstream-fs BUG: unable to handle kernel paging request in udf_close_lvid
2022/11/04 18:13 upstream ee6050c8af96 6d752409 .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro #1] [mounted in repro #2] ci-upstream-kasan-gce-smack-root BUG: unable to handle kernel paging request in udf_close_lvid
2023/05/16 10:11 upstream f1fcbaa18b28 71b00cfb .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: use-after-free Write in udf_close_lvid
2023/05/09 14:57 upstream ba0ad6ed89fd 30aa2a7e .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root KASAN: use-after-free Write in udf_close_lvid
2023/04/26 09:42 upstream 0cfd8703e7da 65320f8e .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: use-after-free Write in udf_close_lvid
2023/04/24 17:16 upstream 457391b03803 fdc18293 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: use-after-free Write in udf_close_lvid
2023/04/18 12:44 upstream 6a8f57ae2eb0 436577a9 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: use-after-free Write in udf_close_lvid
2023/03/23 10:57 upstream fff5a5e7f528 f94b4a29 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: use-after-free Write in udf_close_lvid
2023/03/15 05:22 upstream 4979bf866825 0d5c4377 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: use-after-free Write in udf_close_lvid
2023/02/11 12:12 upstream 420b2d431d18 93e26d60 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: use-after-free Write in udf_close_lvid
2023/02/03 06:59 upstream e7368fd30165 33fc5c09 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: use-after-free Write in udf_close_lvid
2023/01/31 09:29 upstream 6d796c50f84c b68fb8d6 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: use-after-free Write in udf_close_lvid
2023/01/22 13:54 upstream 2241ab53cbb5 cc0f9968 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: use-after-free Write in udf_close_lvid
2023/01/20 18:33 upstream d368967cb103 dd15ff29 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: use-after-free Write in udf_close_lvid
2023/01/16 10:34 upstream 5dc4c995db9e a63719e7 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: use-after-free Write in udf_close_lvid
2023/01/15 14:01 upstream 7c6984405241 a63719e7 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: use-after-free Write in udf_close_lvid
2023/01/12 10:35 upstream e8f60cd7db24 96166539 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: use-after-free Write in udf_close_lvid
2022/12/20 20:43 upstream 6feb57c2fd7c d3e76707 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: use-after-free Write in udf_close_lvid
2022/12/05 16:29 upstream 76dcd734eca2 045cbb84 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: use-after-free Write in udf_close_lvid
2022/12/02 18:17 upstream a4412fdd49dc e080de16 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: use-after-free Write in udf_close_lvid
2022/11/24 09:07 upstream 4312098baf37 ff68ff8f .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: use-after-free Write in udf_close_lvid
2022/11/04 17:44 upstream ee6050c8af96 6d752409 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root KASAN: use-after-free Write in udf_close_lvid
2023/05/21 02:35 upstream 0dd2a6fb1e34 4bce1a3e .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs BUG: unable to handle kernel paging request in udf_close_lvid
2023/05/17 07:46 upstream f1fcbaa18b28 11c89444 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs BUG: unable to handle kernel paging request in udf_close_lvid
2023/05/05 14:21 upstream 78b421b6a7c6 518a39a6 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: slab-out-of-bounds Write in udf_close_lvid
2023/05/05 06:28 upstream 3c4aa4434377 518a39a6 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream BUG: unable to handle kernel paging request in udf_close_lvid
2023/03/29 16:06 upstream fcd476ea6a88 f325deb0 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-selinux-root BUG: unable to handle kernel paging request in udf_close_lvid
2023/03/06 00:04 upstream f915322fe014 f8902b57 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs BUG: unable to handle kernel paging request in udf_close_lvid
2023/04/14 21:07 upstream 95abc817ab3a ec410564 .config console log report info ci-qemu-upstream-386 BUG: unable to handle kernel paging request in udf_close_lvid
2023/01/31 09:14 linux-next 80bd9028feca 9dfcf09c .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: slab-out-of-bounds Write in udf_close_lvid
* Struck through repros no longer work on HEAD.