syzbot


KASAN: invalid-free in bdev_free_inode

Status: auto-closed as invalid on 2021/05/11 01:13
Subsystems: kernfs
[Documentation on labels]
Reported-by: syzbot+48313eb09ec08f5ea43a@syzkaller.appspotmail.com
First crash: 1191d, last: 1163d
Discussions (1)
Title Replies (including bot) Last reply
KASAN: invalid-free in bdev_free_inode 0 (1) 2020/12/17 08:54
Similar bugs (1)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: invalid-free in bdev_free_inode (2) fs syz done unreliable 10 927d 955d 0/26 auto-obsoleted due to no activity on 2022/09/15 21:51

Sample crash report:
==================================================================
BUG: KASAN: double-free or invalid-free in bdev_free_inode+0x57/0x80 fs/block_dev.c:787

CPU: 0 PID: 12 Comm: ksoftirqd/0 Not tainted 5.11.0-rc2-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:79 [inline]
 dump_stack+0x107/0x163 lib/dump_stack.c:120
 print_address_description.constprop.0.cold+0x5b/0x2c6 mm/kasan/report.c:230
 kasan_report_invalid_free+0x51/0x80 mm/kasan/report.c:355
 ____kasan_slab_free+0xcc/0xe0 mm/kasan/common.c:341
 kasan_slab_free include/linux/kasan.h:188 [inline]
 __cache_free mm/slab.c:3424 [inline]
 kfree+0xed/0x270 mm/slab.c:3760
 bdev_free_inode+0x57/0x80 fs/block_dev.c:787
 i_callback+0x3f/0x70 fs/inode.c:222
 rcu_do_batch kernel/rcu/tree.c:2489 [inline]
 rcu_core+0x5eb/0xf00 kernel/rcu/tree.c:2723
 __do_softirq+0x2a5/0x9f7 kernel/softirq.c:343
 run_ksoftirqd kernel/softirq.c:650 [inline]
 run_ksoftirqd+0x2d/0x50 kernel/softirq.c:642
 smpboot_thread_fn+0x655/0x9e0 kernel/smpboot.c:165
 kthread+0x3b1/0x4a0 kernel/kthread.c:292
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296

Allocated by task 4893:
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38
 kasan_set_track mm/kasan/common.c:46 [inline]
 set_alloc_info mm/kasan/common.c:401 [inline]
 ____kasan_kmalloc.constprop.0+0x7f/0xa0 mm/kasan/common.c:429
 kasan_kmalloc include/linux/kasan.h:215 [inline]
 kmem_cache_alloc_trace+0x1e0/0x400 mm/slab.c:3554
 kmalloc include/linux/slab.h:552 [inline]
 kernfs_get_open_node fs/kernfs/file.c:571 [inline]
 kernfs_fop_open+0x957/0xd40 fs/kernfs/file.c:717
 do_dentry_open+0x4b9/0x11b0 fs/open.c:817
 do_open fs/namei.c:3254 [inline]
 path_openat+0x1b9a/0x2730 fs/namei.c:3371
 do_filp_open+0x17e/0x3c0 fs/namei.c:3398
 do_sys_openat2+0x16d/0x420 fs/open.c:1172
 do_sys_open fs/open.c:1188 [inline]
 __do_sys_open fs/open.c:1196 [inline]
 __se_sys_open fs/open.c:1192 [inline]
 __x64_sys_open+0x119/0x1c0 fs/open.c:1192
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

Freed by task 4893:
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38
 kasan_set_track+0x1c/0x30 mm/kasan/common.c:46
 kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:356
 ____kasan_slab_free+0xb0/0xe0 mm/kasan/common.c:362
 kasan_slab_free include/linux/kasan.h:188 [inline]
 __cache_free mm/slab.c:3424 [inline]
 kfree+0xed/0x270 mm/slab.c:3760
 kernfs_fop_release+0xe3/0x190 fs/kernfs/file.c:779
 __fput+0x283/0x920 fs/file_table.c:280
 task_work_run+0xdd/0x190 kernel/task_work.c:140
 tracehook_notify_resume include/linux/tracehook.h:189 [inline]
 exit_to_user_mode_loop kernel/entry/common.c:174 [inline]
 exit_to_user_mode_prepare+0x249/0x250 kernel/entry/common.c:201
 __syscall_exit_to_user_mode_work kernel/entry/common.c:291 [inline]
 syscall_exit_to_user_mode+0x19/0x50 kernel/entry/common.c:302
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

The buggy address belongs to the object at ffff88802b138200
 which belongs to the cache kmalloc-128 of size 128
The buggy address is located 0 bytes inside of
 128-byte region [ffff88802b138200, ffff88802b138280)
The buggy address belongs to the page:
page:000000005f879877 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88802b138b00 pfn:0x2b138
flags: 0xfff00000000200(slab)
raw: 00fff00000000200 ffffea00004c7348 ffffea000078cdc8 ffff888010040400
raw: ffff88802b138b00 ffff88802b138000 0000000100000007 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88802b138100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88802b138180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88802b138200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                   ^
 ffff88802b138280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88802b138300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (18):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2021/01/07 19:43 upstream 71c061d24438 c104d4a3 .config console log report info ci-upstream-kasan-gce-selinux-root
2021/01/07 01:54 upstream 9f1abbe97c08 c104d4a3 .config console log report info ci-upstream-kasan-gce-root
2021/01/05 20:33 upstream 36bbbd0e234d a0234d98 .config console log report info ci-upstream-kasan-gce-root
2021/01/05 03:13 upstream 36bbbd0e234d 2a28ff1f .config console log report info ci-upstream-kasan-gce-selinux-root
2021/01/04 04:47 upstream e71ba9452f0b 79264ae3 .config console log report info ci-upstream-kasan-gce-root
2021/01/02 06:34 upstream eda809aef534 79264ae3 .config console log report info ci-upstream-kasan-gce-selinux-root
2020/12/30 07:01 upstream 139711f033f6 0fa352f2 .config console log report info ci-upstream-kasan-gce-root
2020/12/29 23:50 upstream dea8dcf2a9fa 80910769 .config console log report info ci-upstream-kasan-gce-root
2020/12/25 19:32 upstream 71c5f03154ac b982b3ea .config console log report info ci-upstream-kasan-gce-selinux-root
2021/01/11 01:13 linux-next 1c925d2030af 2c1f2513 .config console log report info ci-upstream-linux-next-kasan-gce-root
2021/01/07 13:27 linux-next 2d3811a4fb23 c104d4a3 .config console log report info ci-upstream-linux-next-kasan-gce-root
2021/01/04 00:38 linux-next d7a03a44a5e9 79264ae3 .config console log report info ci-upstream-linux-next-kasan-gce-root
2020/12/30 11:44 linux-next d7a03a44a5e9 0fa352f2 .config console log report info ci-upstream-linux-next-kasan-gce-root
2020/12/30 00:47 linux-next d7a03a44a5e9 80910769 .config console log report info ci-upstream-linux-next-kasan-gce-root
2020/12/25 10:13 linux-next d7a03a44a5e9 b982b3ea .config console log report info ci-upstream-linux-next-kasan-gce-root
2020/12/16 15:35 linux-next 26aed0ea32c8 f213e07e .config console log report info ci-upstream-linux-next-kasan-gce-root
2020/12/15 02:44 linux-next 14240d4c5b25 97183ed7 .config console log report info ci-upstream-linux-next-kasan-gce-root
2020/12/13 08:48 linux-next 14240d4c5b25 bca53db9 .config console log report info ci-upstream-linux-next-kasan-gce-root
* Struck through repros no longer work on HEAD.