Re: KASAN: use-after-free Read in idr_for_each (2)

All of lore.kernel.org
 help / color / mirror / Atom feed

From: syzbot <syzbot+12056a09a0311d758e60@syzkaller.appspotmail.com>
To: axboe@kernel.dk, io-uring@vger.kernel.org,
	linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
	syzkaller-bugs@googlegroups.com, viro@zeniv.linux.org.uk
Subject: Re: KASAN: use-after-free Read in idr_for_each (2)
Date: Sat, 28 Nov 2020 09:19:21 -0800	[thread overview]
Message-ID: <00000000000052c1e805b52dfa16@google.com> (raw)
In-Reply-To: <000000000000ca835605b0e8a723@google.com>

syzbot has found a reproducer for the following issue on:

HEAD commit:    c84e1efa Merge tag 'asm-generic-fixes-5.10-2' of git://git..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1251d759500000
kernel config:  https://syzkaller.appspot.com/x/.config?x=cb8d1a3819ba4356
dashboard link: https://syzkaller.appspot.com/bug?extid=12056a09a0311d758e60
compiler:       gcc (GCC) 10.1.0-syz 20200507
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1126cce9500000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1173d2e9500000

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+12056a09a0311d758e60@syzkaller.appspotmail.com

==================================================================
BUG: KASAN: use-after-free in radix_tree_next_slot include/linux/radix-tree.h:422 [inline]
BUG: KASAN: use-after-free in idr_for_each+0x206/0x220 lib/idr.c:202
Read of size 8 at addr ffff888032eb2c40 by task kworker/u4:4/186

CPU: 1 PID: 186 Comm: kworker/u4:4 Not tainted 5.10.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events_unbound io_ring_exit_work
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x107/0x163 lib/dump_stack.c:118
 print_address_description.constprop.0.cold+0xae/0x4c8 mm/kasan/report.c:385
 __kasan_report mm/kasan/report.c:545 [inline]
 kasan_report.cold+0x1f/0x37 mm/kasan/report.c:562
 radix_tree_next_slot include/linux/radix-tree.h:422 [inline]
 idr_for_each+0x206/0x220 lib/idr.c:202
 io_destroy_buffers fs/io_uring.c:8275 [inline]
 io_ring_ctx_free fs/io_uring.c:8298 [inline]
 io_ring_exit_work+0x3f7/0x7a0 fs/io_uring.c:8375
 process_one_work+0x933/0x15a0 kernel/workqueue.c:2272
 worker_thread+0x64c/0x1120 kernel/workqueue.c:2418
 kthread+0x3b1/0x4a0 kernel/kthread.c:292
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296

Allocated by task 10961:
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48
 kasan_set_track mm/kasan/common.c:56 [inline]
 __kasan_kmalloc.constprop.0+0xc2/0xd0 mm/kasan/common.c:461
 slab_post_alloc_hook mm/slab.h:526 [inline]
 slab_alloc_node mm/slub.c:2891 [inline]
 slab_alloc mm/slub.c:2899 [inline]
 kmem_cache_alloc+0x122/0x460 mm/slub.c:2904
 radix_tree_node_alloc.constprop.0+0x7c/0x350 lib/radix-tree.c:274
 idr_get_free+0x4c5/0x940 lib/radix-tree.c:1504
 idr_alloc_u32+0x170/0x2d0 lib/idr.c:46
 idr_alloc+0xc2/0x130 lib/idr.c:87
 io_provide_buffers fs/io_uring.c:4032 [inline]
 io_issue_sqe+0x2fc4/0x3d10 fs/io_uring.c:6012
 __io_queue_sqe+0x132/0xda0 fs/io_uring.c:6232
 io_queue_sqe+0x623/0x11f0 fs/io_uring.c:6298
 io_submit_sqe fs/io_uring.c:6367 [inline]
 io_submit_sqes+0x15e1/0x28a0 fs/io_uring.c:6596
 __do_sys_io_uring_enter+0xc90/0x1ab0 fs/io_uring.c:8983
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

Freed by task 8546:
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48
 kasan_set_track+0x1c/0x30 mm/kasan/common.c:56
 kasan_set_free_info+0x1b/0x30 mm/kasan/generic.c:355
 __kasan_slab_free+0x102/0x140 mm/kasan/common.c:422
 slab_free_hook mm/slub.c:1544 [inline]
 slab_free_freelist_hook+0x5d/0x150 mm/slub.c:1577
 slab_free mm/slub.c:3142 [inline]
 kmem_cache_free+0x82/0x350 mm/slub.c:3158
 rcu_do_batch kernel/rcu/tree.c:2476 [inline]
 rcu_core+0x5df/0xe80 kernel/rcu/tree.c:2711
 __do_softirq+0x2a0/0x9f6 kernel/softirq.c:298

Last call_rcu():
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48
 kasan_record_aux_stack+0xc0/0xf0 mm/kasan/generic.c:346
 __call_rcu kernel/rcu/tree.c:2953 [inline]
 call_rcu+0xbb/0x700 kernel/rcu/tree.c:3027
 radix_tree_node_free lib/radix-tree.c:308 [inline]
 delete_node+0x591/0x8c0 lib/radix-tree.c:571
 __radix_tree_delete+0x190/0x370 lib/radix-tree.c:1377
 radix_tree_delete_item+0xe7/0x230 lib/radix-tree.c:1428
 __io_remove_buffers fs/io_uring.c:3930 [inline]
 __io_remove_buffers fs/io_uring.c:3909 [inline]
 __io_destroy_buffers+0x161/0x200 fs/io_uring.c:8269
 idr_for_each+0x113/0x220 lib/idr.c:208
 io_destroy_buffers fs/io_uring.c:8275 [inline]
 io_ring_ctx_free fs/io_uring.c:8298 [inline]
 io_ring_exit_work+0x3f7/0x7a0 fs/io_uring.c:8375
 process_one_work+0x933/0x15a0 kernel/workqueue.c:2272
 worker_thread+0x64c/0x1120 kernel/workqueue.c:2418
 kthread+0x3b1/0x4a0 kernel/kthread.c:292
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296

The buggy address belongs to the object at ffff888032eb2c00
 which belongs to the cache radix_tree_node of size 576
The buggy address is located 64 bytes inside of
 576-byte region [ffff888032eb2c00, ffff888032eb2e40)
The buggy address belongs to the page:
page:00000000102f3139 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x32eb0
head:00000000102f3139 order:2 compound_mapcount:0 compound_pincount:0
flags: 0xfff00000010200(slab|head)
raw: 00fff00000010200 dead000000000100 dead000000000122 ffff88801004db40
raw: 0000000000000000 0000000000170017 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff888032eb2b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888032eb2b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff888032eb2c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                           ^
 ffff888032eb2c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888032eb2d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

next prev parent reply	other threads:[~2020-11-28 18:01 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-10-05  8:56 KASAN: use-after-free Read in idr_for_each (2) syzbot
2020-11-28 17:19 ` syzbot [this message]
2020-12-18 15:43   ` Pavel Begunkov
2020-12-18 16:44     ` syzbot
2021-03-19 10:38       ` Pavel Begunkov
2021-03-19 11:02         ` [syzbot] " syzbot
     [not found] ` <20201129113429.13660-1-hdanton@sina.com>
2020-11-29 12:26   ` Matthew Wilcox
2020-11-30 17:43     ` Jens Axboe
2021-04-15 18:28 ` [syzbot] " syzbot
2021-04-19 12:09   ` Pavel Begunkov

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=00000000000052c1e805b52dfa16@google.com \
    --to=syzbot+12056a09a0311d758e60@syzkaller.appspotmail.com \
    --cc=axboe@kernel.dk \
    --cc=io-uring@vger.kernel.org \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=syzkaller-bugs@googlegroups.com \
    --cc=viro@zeniv.linux.org.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.