syzbot


KASAN: use-after-free Read in generic_perform_write

Status: upstream: reported syz repro on 2020/09/24 08:55
Reported-by: syzbot+ab73f0a75a218956b10e@syzkaller.appspotmail.com
First crash: 686d, last: 27d

Fix bisection: failed (bisect log)
similar bugs (3):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.14 KASAN: use-after-free Read in generic_perform_write (2) syz error 5 66d 249d 0/1 upstream: reported syz repro on 2021/12/05 01:05
linux-4.14 KASAN: use-after-free Read in generic_perform_write 11 454d 684d 0/1 auto-closed as invalid on 2021/09/11 00:48
upstream KASAN: use-after-free Read in generic_perform_write C error 73 421d 1484d 0/23 upstream: reported C repro on 2018/07/19 18:01

Sample crash report:
ERROR: (device loop1): diRead: i_ino != di_number
ERROR: (device loop4): diRead: i_ino != di_number
ERROR: (device loop0): diRead: i_ino != di_number
==================================================================
BUG: KASAN: use-after-free in memcpy include/linux/string.h:377 [inline]
BUG: KASAN: use-after-free in memcpy_from_page+0x8c/0x120 lib/iov_iter.c:453
Read of size 4096 at addr ffff8880a89ba000 by task loop0/15081

CPU: 1 PID: 15081 Comm: loop0 Not tainted 4.19.211-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1fc/0x2ef lib/dump_stack.c:118
 print_address_description.cold+0x54/0x219 mm/kasan/report.c:256
 kasan_report_error.cold+0x8a/0x1b9 mm/kasan/report.c:354
 kasan_report+0x8f/0xa0 mm/kasan/report.c:412
 memcpy+0x20/0x50 mm/kasan/kasan.c:302
 memcpy include/linux/string.h:377 [inline]
 memcpy_from_page+0x8c/0x120 lib/iov_iter.c:453
 iov_iter_copy_from_user_atomic+0x701/0xaa0 lib/iov_iter.c:929
 generic_perform_write+0x265/0x4d0 mm/filemap.c:3178
 __generic_file_write_iter+0x24b/0x610 mm/filemap.c:3295
 generic_file_write_iter+0x3f8/0x730 mm/filemap.c:3323
 call_write_iter include/linux/fs.h:1821 [inline]
 do_iter_readv_writev+0x668/0x790 fs/read_write.c:681
 do_iter_write+0x182/0x5d0 fs/read_write.c:960
 vfs_iter_write+0x70/0xa0 fs/read_write.c:973
 lo_write_bvec+0x141/0x370 drivers/block/loop.c:274
 lo_write_simple drivers/block/loop.c:296 [inline]
 do_req_filebacked drivers/block/loop.c:619 [inline]
 loop_handle_cmd drivers/block/loop.c:1926 [inline]
 loop_queue_work+0xa1c/0x20c0 drivers/block/loop.c:1940
 kthread_worker_fn+0x292/0x730 kernel/kthread.c:700
 kthread+0x33f/0x460 kernel/kthread.c:259
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415

The buggy address belongs to the page:
page:ffffea0002a26e80 count:0 mapcount:0 mapping:0000000000000000 index:0x0
flags: 0xfff00000000000()
raw: 00fff00000000000 ffffea0002681b88 ffffea00025c36c8 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8880a89b9f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8880a89b9f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8880a89ba000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                   ^
 ffff8880a89ba080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff8880a89ba100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================

Crashes (37):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci2-linux-4-19 2022/04/17 17:36 linux-4.19.y 3f8a27f9e27b 8bcc32a6 .config log report syz KASAN: use-after-free Read in generic_perform_write
ci2-linux-4-19 2022/07/15 00:53 linux-4.19.y 3f8a27f9e27b 5d921b08 .config log report info KASAN: use-after-free Read in generic_perform_write
ci2-linux-4-19 2022/06/11 10:09 linux-4.19.y 3f8a27f9e27b 0d5abf15 .config log report info KASAN: use-after-free Read in generic_perform_write
ci2-linux-4-19 2022/05/29 12:32 linux-4.19.y 3f8a27f9e27b a46af346 .config log report info KASAN: use-after-free Read in generic_perform_write
ci2-linux-4-19 2022/04/22 23:55 linux-4.19.y 3f8a27f9e27b 131df97d .config log report info KASAN: use-after-free Read in generic_perform_write
ci2-linux-4-19 2022/04/17 06:38 linux-4.19.y 3f8a27f9e27b 8bcc32a6 .config log report info KASAN: use-after-free Read in generic_perform_write
ci2-linux-4-19 2022/04/09 22:58 linux-4.19.y 3f8a27f9e27b e22c3da3 .config log report info KASAN: use-after-free Read in generic_perform_write
ci2-linux-4-19 2022/02/20 01:49 linux-4.19.y 3f8a27f9e27b 3cd800e4 .config log report info KASAN: use-after-free Read in generic_perform_write
ci2-linux-4-19 2022/01/31 09:52 linux-4.19.y 3f8a27f9e27b a491ad2d .config log report info KASAN: use-after-free Read in generic_perform_write
ci2-linux-4-19 2022/01/30 17:11 linux-4.19.y 3f8a27f9e27b 495e00c5 .config log report info KASAN: use-after-free Read in generic_perform_write
ci2-linux-4-19 2021/12/07 05:16 linux-4.19.y 3f8a27f9e27b 0230ba3e .config log report info KASAN: use-after-free Read in generic_perform_write
ci2-linux-4-19 2021/12/06 16:53 linux-4.19.y 3f8a27f9e27b 579a8754 .config log report info KASAN: use-after-free Read in generic_perform_write
ci2-linux-4-19 2021/11/20 14:57 linux-4.19.y 3f8a27f9e27b 4eb20a4e .config log report info KASAN: use-after-free Read in generic_perform_write
ci2-linux-4-19 2021/11/19 05:56 linux-4.19.y 3f8a27f9e27b 31a30fc0 .config log report info KASAN: use-after-free Read in generic_perform_write
ci2-linux-4-19 2021/11/12 13:04 linux-4.19.y 3f8a27f9e27b 75b04091 .config log report info KASAN: use-after-free Read in generic_perform_write
ci2-linux-4-19 2021/11/09 13:27 linux-4.19.y 3f8a27f9e27b 59bcaf9a .config log report info KASAN: use-after-free Read in generic_perform_write
ci2-linux-4-19 2021/11/06 19:02 linux-4.19.y 3f8a27f9e27b 4c1be0be .config log report info KASAN: use-after-free Read in generic_perform_write
ci2-linux-4-19 2021/11/05 01:31 linux-4.19.y 3f8a27f9e27b 4c1be0be .config log report info KASAN: use-after-free Read in generic_perform_write
ci2-linux-4-19 2021/10/10 15:07 linux-4.19.y e34184f53363 838e7e2c .config log report info KASAN: use-after-free Read in generic_perform_write
ci2-linux-4-19 2021/09/07 15:02 linux-4.19.y b172b44fcb17 6ca60148 .config log report info KASAN: use-after-free Read in generic_perform_write
ci2-linux-4-19 2021/06/17 17:14 linux-4.19.y eb575cd5d7f6 aba2b2fb .config log report info KASAN: use-after-free Read in generic_perform_write
ci2-linux-4-19 2021/06/03 23:16 linux-4.19.y 1722257b8ece 0740de69 .config log report info KASAN: use-after-free Read in generic_perform_write
ci2-linux-4-19 2021/05/25 12:38 linux-4.19.y 1e986fe9ad15 3c7fef33 .config log report info KASAN: use-after-free Read in generic_perform_write
ci2-linux-4-19 2021/05/11 16:20 linux-4.19.y 3c8c23092588 ca873091 .config log report info KASAN: use-after-free Read in generic_perform_write
ci2-linux-4-19 2021/03/27 09:45 linux-4.19.y 78fec1611cbf a8529b82 .config log report info KASAN: use-after-free Read in generic_perform_write
ci2-linux-4-19 2021/03/18 18:51 linux-4.19.y ac3af4beac43 7216542e .config log report info KASAN: use-after-free Read in generic_perform_write
ci2-linux-4-19 2021/03/14 10:38 linux-4.19.y 030194a5b292 4a003785 .config log report info KASAN: use-after-free Read in generic_perform_write
ci2-linux-4-19 2021/03/07 13:07 linux-4.19.y 2cae3e25b706 c599ed12 .config log report info KASAN: use-after-free Read in generic_perform_write
ci2-linux-4-19 2021/02/01 02:39 linux-4.19.y 811218eceeaa fc9fd31e .config log report info KASAN: use-after-free Read in generic_perform_write
ci2-linux-4-19 2021/01/31 23:13 linux-4.19.y 811218eceeaa fc9fd31e .config log report info KASAN: use-after-free Read in generic_perform_write
ci2-linux-4-19 2021/06/22 08:47 linux-4.19.y eb575cd5d7f6 aba2b2fb .config log report info KASAN: slab-out-of-bounds Read in generic_perform_write
ci2-linux-4-19 2021/01/08 02:30 linux-4.19.y 4143d798313f c104d4a3 .config log report info
ci2-linux-4-19 2020/12/28 17:49 linux-4.19.y 13d2ce42de8c 8259d56c .config log report info
ci2-linux-4-19 2020/12/26 18:11 linux-4.19.y 13d2ce42de8c 821e0b09 .config log report info
ci2-linux-4-19 2020/12/12 22:56 linux-4.19.y 13d2ce42de8c bca53db9 .config log report info
ci2-linux-4-19 2020/10/19 09:13 linux-4.19.y ad326970d25c ff4a3345 .config log report info
ci2-linux-4-19 2020/09/24 08:54 linux-4.19.y d09b80172c22 54289b08 .config log report info