KASAN: use-after-free Read in shmem

Kernel	Title	Rank 🛈	Count	Last	Reported	Patched	Status
upstream	KASAN: use-after-free Read in shmem_fault (2) mm	19	5	2098d	2158d	15/29	fixed on 2019/12/13 00:31
upstream	KASAN: use-after-free Read in shmem_fault mm	19	3	2287d	2353d	0/29	closed as invalid on 2019/08/22 04:16
linux-4.19	KASAN: use-after-free Read in shmem_fault	19	1	2280d	2280d	0/1	auto-closed as invalid on 2019/10/25 08:45
android-49	KASAN: use-after-free Read in shmem_fault	19	1	2420d	2296d	0/3	auto-closed as invalid on 2019/06/10 04:57

Created	Duration	User	Patch	Repo	Result
2022/08/26 17:27	11m	retest repro		linux-4.19.y	error

Created

Duration

User

Patch

Repo

Result

2022/08/26 17:27

11m

retest repro

linux-4.19.y

error

================================================================== BUG: KASAN: use-after-free in __lock_acquire+0x34ac/0x49c0 kernel/locking/lockdep.c:3290 Read of size 8 at addr ffff888090cd1708 by task syz-executor.5/8862 CPU: 1 PID: 8862 Comm: syz-executor.5 Not tainted 4.19.91-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x197/0x210 lib/dump_stack.c:118 print_address_description.cold+0x7c/0x20d mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report mm/kasan/report.c:412 [inline] kasan_report.cold+0x8c/0x2ba mm/kasan/report.c:396 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433 __lock_acquire+0x34ac/0x49c0 kernel/locking/lockdep.c:3290 lock_acquire+0x16f/0x3f0 kernel/locking/lockdep.c:3903 __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline] _raw_spin_lock+0x2f/0x40 kernel/locking/spinlock.c:144 spin_lock include/linux/spinlock.h:329 [inline] shmem_fault+0x5ba/0x760 mm/shmem.c:2016 __do_fault+0x111/0x480 mm/memory.c:3269 do_shared_fault mm/memory.c:3736 [inline] do_fault mm/memory.c:3814 [inline] handle_pte_fault mm/memory.c:4041 [inline] __handle_mm_fault+0x2b0e/0x3f80 mm/memory.c:4165 handle_mm_fault+0x1b5/0x690 mm/memory.c:4202 __do_page_fault+0x62a/0xe90 arch/x86/mm/fault.c:1390 do_page_fault+0x71/0x57d arch/x86/mm/fault.c:1465 page_fault+0x1e/0x30 arch/x86/entry/entry_64.S:1204 RIP: 0033:0x441b61 Code: 8d 15 e3 c3 0a 00 8b 0c 8a 8b 04 82 29 c8 c3 66 2e 0f 1f 84 00 00 00 00 00 48 83 fa 20 48 89 f8 73 77 f6 c2 01 74 0b 0f b6 0e <88> 0f 48 ff c6 48 ff c7 f6 c2 02 74 12 0f b7 0e 66 89 0f 48 83 c6 RSP: 002b:00007fff29747238 EFLAGS: 00010202 RAX: 0000000020000100 RBX: 0000000000000000 RCX: 000000000000002f RDX: 0000000000000009 RSI: 0000000000760248 RDI: 0000000020000100 RBP: 0000000000760228 R08: 0000000000760228 R09: ffffffffffffffff R10: 00007fff29747300 R11: 0000000000000246 R12: 000000000075bfc8 R13: 0000000000000006 R14: 0000000000760230 R15: 000000000075bfd4 Allocated by task 8863: save_stack+0x45/0xd0 mm/kasan/kasan.c:448 set_track mm/kasan/kasan.c:460 [inline] kasan_kmalloc mm/kasan/kasan.c:553 [inline] kasan_kmalloc+0xce/0xf0 mm/kasan/kasan.c:531 kasan_slab_alloc+0xf/0x20 mm/kasan/kasan.c:490 kmem_cache_alloc+0x12e/0x700 mm/slab.c:3559 shmem_alloc_inode+0x1c/0x50 mm/shmem.c:3595 alloc_inode+0x64/0x190 fs/inode.c:210 new_inode_pseudo+0x19/0xf0 fs/inode.c:903 new_inode+0x1f/0x40 fs/inode.c:932 shmem_get_inode+0x84/0x780 mm/shmem.c:2192 __shmem_file_setup.part.0+0x1e2/0x2b0 mm/shmem.c:3951 __shmem_file_setup mm/shmem.c:3945 [inline] shmem_kernel_file_setup mm/shmem.c:3981 [inline] shmem_zero_setup+0xe2/0x474 mm/shmem.c:4025 mmap_region+0x1364/0x1760 mm/mmap.c:1779 do_mmap+0x8e2/0x1080 mm/mmap.c:1536 do_mmap_pgoff include/linux/mm.h:2314 [inline] vm_mmap_pgoff+0x1c5/0x230 mm/util.c:357 ksys_mmap_pgoff+0xf7/0x630 mm/mmap.c:1586 __do_sys_mmap arch/x86/kernel/sys_x86_64.c:100 [inline] __se_sys_mmap arch/x86/kernel/sys_x86_64.c:91 [inline] __x64_sys_mmap+0xe9/0x1b0 arch/x86/kernel/sys_x86_64.c:91 do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 18: save_stack+0x45/0xd0 mm/kasan/kasan.c:448 set_track mm/kasan/kasan.c:460 [inline] __kasan_slab_free+0x102/0x150 mm/kasan/kasan.c:521 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528 __cache_free mm/slab.c:3503 [inline] kmem_cache_free+0x86/0x260 mm/slab.c:3765 shmem_destroy_callback+0x6e/0xc0 mm/shmem.c:3606 __rcu_reclaim kernel/rcu/rcu.h:236 [inline] rcu_do_batch kernel/rcu/tree.c:2584 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:2897 [inline] __rcu_process_callbacks kernel/rcu/tree.c:2864 [inline] rcu_process_callbacks+0xba0/0x1a30 kernel/rcu/tree.c:2881 __do_softirq+0x25c/0x921 kernel/softirq.c:292 The buggy address belongs to the object at ffff888090cd1568 which belongs to the cache shmem_inode_cache(49:syz5) of size 1192 The buggy address is located 416 bytes inside of 1192-byte region [ffff888090cd1568, ffff888090cd1a10) The buggy address belongs to the page: page:ffffea0002433440 count:1 mapcount:0 mapping:ffff8880a3f37500 index:0xffff888090cd1ffd flags: 0xfffe0000000100(slab) raw: 00fffe0000000100 ffff8880a04bda48 ffffea00020db3c8 ffff8880a3f37500 raw: ffff888090cd1ffd ffff888090cd1040 0000000100000003 ffff88809260acc0 page dumped because: kasan: bad access detected page->mem_cgroup:ffff88809260acc0 Memory state around the buggy address: ffff888090cd1600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888090cd1680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff888090cd1700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888090cd1780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888090cd1800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================

Crashes (3):
Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	Manager
2019/12/21 16:00	linux-4.19.y	672481c2deff	bc586918	.config	console log	report	syz	ci2-linux-4-19
2019/12/25 00:26	linux-4.19.y	672481c2deff	be5c2c81	.config	console log	report		ci2-linux-4-19
2019/12/21 14:56	linux-4.19.y	672481c2deff	bc586918	.config	console log	report		ci2-linux-4-19

Crashes (3):

Assets (help?)