syzbot


KASAN: use-after-free Read in shmem_fault (2)

Status: auto-obsoleted due to no activity on 2022/08/26 18:49
Reported-by: syzbot+246c20cc64a0d4ce268b@syzkaller.appspotmail.com
First crash: 1797d, last: 1793d
Fix bisection: failed (error log, bisect log)
  
Similar bugs (4)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: use-after-free Read in shmem_fault (2) mm 5 1849d 1910d 15/28 fixed on 2019/12/13 00:31
upstream KASAN: use-after-free Read in shmem_fault mm 3 2039d 2105d 0/28 closed as invalid on 2019/08/22 04:16
linux-4.19 KASAN: use-after-free Read in shmem_fault 1 2031d 2031d 0/1 auto-closed as invalid on 2019/10/25 08:45
android-49 KASAN: use-after-free Read in shmem_fault 1 2171d 2048d 0/3 auto-closed as invalid on 2019/06/10 04:57
Last patch testing requests (1)
Created Duration User Patch Repo Result
2022/08/26 17:27 11m retest repro linux-4.19.y error

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in __lock_acquire+0x34ac/0x49c0 kernel/locking/lockdep.c:3290
Read of size 8 at addr ffff888090cd1708 by task syz-executor.5/8862

CPU: 1 PID: 8862 Comm: syz-executor.5 Not tainted 4.19.91-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x197/0x210 lib/dump_stack.c:118
 print_address_description.cold+0x7c/0x20d mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report mm/kasan/report.c:412 [inline]
 kasan_report.cold+0x8c/0x2ba mm/kasan/report.c:396
 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
 __lock_acquire+0x34ac/0x49c0 kernel/locking/lockdep.c:3290
 lock_acquire+0x16f/0x3f0 kernel/locking/lockdep.c:3903
 __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
 _raw_spin_lock+0x2f/0x40 kernel/locking/spinlock.c:144
 spin_lock include/linux/spinlock.h:329 [inline]
 shmem_fault+0x5ba/0x760 mm/shmem.c:2016
 __do_fault+0x111/0x480 mm/memory.c:3269
 do_shared_fault mm/memory.c:3736 [inline]
 do_fault mm/memory.c:3814 [inline]
 handle_pte_fault mm/memory.c:4041 [inline]
 __handle_mm_fault+0x2b0e/0x3f80 mm/memory.c:4165
 handle_mm_fault+0x1b5/0x690 mm/memory.c:4202
 __do_page_fault+0x62a/0xe90 arch/x86/mm/fault.c:1390
 do_page_fault+0x71/0x57d arch/x86/mm/fault.c:1465
 page_fault+0x1e/0x30 arch/x86/entry/entry_64.S:1204
RIP: 0033:0x441b61
Code: 8d 15 e3 c3 0a 00 8b 0c 8a 8b 04 82 29 c8 c3 66 2e 0f 1f 84 00 00 00 00 00 48 83 fa 20 48 89 f8 73 77 f6 c2 01 74 0b 0f b6 0e <88> 0f 48 ff c6 48 ff c7 f6 c2 02 74 12 0f b7 0e 66 89 0f 48 83 c6
RSP: 002b:00007fff29747238 EFLAGS: 00010202
RAX: 0000000020000100 RBX: 0000000000000000 RCX: 000000000000002f
RDX: 0000000000000009 RSI: 0000000000760248 RDI: 0000000020000100
RBP: 0000000000760228 R08: 0000000000760228 R09: ffffffffffffffff
R10: 00007fff29747300 R11: 0000000000000246 R12: 000000000075bfc8
R13: 0000000000000006 R14: 0000000000760230 R15: 000000000075bfd4

Allocated by task 8863:
 save_stack+0x45/0xd0 mm/kasan/kasan.c:448
 set_track mm/kasan/kasan.c:460 [inline]
 kasan_kmalloc mm/kasan/kasan.c:553 [inline]
 kasan_kmalloc+0xce/0xf0 mm/kasan/kasan.c:531
 kasan_slab_alloc+0xf/0x20 mm/kasan/kasan.c:490
 kmem_cache_alloc+0x12e/0x700 mm/slab.c:3559
 shmem_alloc_inode+0x1c/0x50 mm/shmem.c:3595
 alloc_inode+0x64/0x190 fs/inode.c:210
 new_inode_pseudo+0x19/0xf0 fs/inode.c:903
 new_inode+0x1f/0x40 fs/inode.c:932
 shmem_get_inode+0x84/0x780 mm/shmem.c:2192
 __shmem_file_setup.part.0+0x1e2/0x2b0 mm/shmem.c:3951
 __shmem_file_setup mm/shmem.c:3945 [inline]
 shmem_kernel_file_setup mm/shmem.c:3981 [inline]
 shmem_zero_setup+0xe2/0x474 mm/shmem.c:4025
 mmap_region+0x1364/0x1760 mm/mmap.c:1779
 do_mmap+0x8e2/0x1080 mm/mmap.c:1536
 do_mmap_pgoff include/linux/mm.h:2314 [inline]
 vm_mmap_pgoff+0x1c5/0x230 mm/util.c:357
 ksys_mmap_pgoff+0xf7/0x630 mm/mmap.c:1586
 __do_sys_mmap arch/x86/kernel/sys_x86_64.c:100 [inline]
 __se_sys_mmap arch/x86/kernel/sys_x86_64.c:91 [inline]
 __x64_sys_mmap+0xe9/0x1b0 arch/x86/kernel/sys_x86_64.c:91
 do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 18:
 save_stack+0x45/0xd0 mm/kasan/kasan.c:448
 set_track mm/kasan/kasan.c:460 [inline]
 __kasan_slab_free+0x102/0x150 mm/kasan/kasan.c:521
 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
 __cache_free mm/slab.c:3503 [inline]
 kmem_cache_free+0x86/0x260 mm/slab.c:3765
 shmem_destroy_callback+0x6e/0xc0 mm/shmem.c:3606
 __rcu_reclaim kernel/rcu/rcu.h:236 [inline]
 rcu_do_batch kernel/rcu/tree.c:2584 [inline]
 invoke_rcu_callbacks kernel/rcu/tree.c:2897 [inline]
 __rcu_process_callbacks kernel/rcu/tree.c:2864 [inline]
 rcu_process_callbacks+0xba0/0x1a30 kernel/rcu/tree.c:2881
 __do_softirq+0x25c/0x921 kernel/softirq.c:292

The buggy address belongs to the object at ffff888090cd1568
 which belongs to the cache shmem_inode_cache(49:syz5) of size 1192
The buggy address is located 416 bytes inside of
 1192-byte region [ffff888090cd1568, ffff888090cd1a10)
The buggy address belongs to the page:
page:ffffea0002433440 count:1 mapcount:0 mapping:ffff8880a3f37500 index:0xffff888090cd1ffd
flags: 0xfffe0000000100(slab)
raw: 00fffe0000000100 ffff8880a04bda48 ffffea00020db3c8 ffff8880a3f37500
raw: ffff888090cd1ffd ffff888090cd1040 0000000100000003 ffff88809260acc0
page dumped because: kasan: bad access detected
page->mem_cgroup:ffff88809260acc0

Memory state around the buggy address:
 ffff888090cd1600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888090cd1680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888090cd1700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                      ^
 ffff888090cd1780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888090cd1800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (3):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2019/12/21 16:00 linux-4.19.y 672481c2deff bc586918 .config console log report syz ci2-linux-4-19
2019/12/25 00:26 linux-4.19.y 672481c2deff be5c2c81 .config console log report ci2-linux-4-19
2019/12/21 14:56 linux-4.19.y 672481c2deff bc586918 .config console log report ci2-linux-4-19
* Struck through repros no longer work on HEAD.