From: syzbot <syzbot+d2dd123304b4ae59f1bd@syzkaller.appspotmail.com>
To: akpm@linux-foundation.org, linux-fsdevel@vger.kernel.org,
linux-kernel@vger.kernel.org, linux-mm@kvack.org,
syzkaller-bugs@googlegroups.com, willy@infradead.org
Subject: Re: [syzbot] KASAN: use-after-free Read in copy_page_from_iter_atomic (2)
Date: Thu, 09 Jun 2022 18:24:25 -0700 [thread overview]
Message-ID: <0000000000007f13ca05e10dccc0@google.com> (raw)
In-Reply-To: <0000000000003ce9d105e0db53c8@google.com>
syzbot has found a reproducer for the following issue on:
HEAD commit: ff539ac73ea5 Add linux-next specific files for 20220609
git tree: linux-next
console+strace: https://syzkaller.appspot.com/x/log.txt?x=1627d920080000
kernel config: https://syzkaller.appspot.com/x/.config?x=a5002042f00a8bce
dashboard link: https://syzkaller.appspot.com/bug?extid=d2dd123304b4ae59f1bd
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10d6d7cff00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1113b2bff00000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+d2dd123304b4ae59f1bd@syzkaller.appspotmail.com
BTRFS error (device loop0): bad tree block start, want 30490624 have 0
==================================================================
BUG: KASAN: use-after-free in copy_page_from_iter_atomic+0xef6/0x1b30 lib/iov_iter.c:969
Read of size 4096 at addr ffff888170801000 by task kworker/u4:0/8
CPU: 0 PID: 8 Comm: kworker/u4:0 Not tainted 5.19.0-rc1-next-20220609-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: loop0 loop_rootcg_workfn
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
print_address_description.constprop.0.cold+0xeb/0x495 mm/kasan/report.c:313
print_report mm/kasan/report.c:429 [inline]
kasan_report.cold+0xf4/0x1c6 mm/kasan/report.c:491
check_region_inline mm/kasan/generic.c:183 [inline]
kasan_check_range+0x13d/0x180 mm/kasan/generic.c:189
memcpy+0x20/0x60 mm/kasan/shadow.c:65
copy_page_from_iter_atomic+0xef6/0x1b30 lib/iov_iter.c:969
generic_perform_write+0x2b8/0x560 mm/filemap.c:3735
__generic_file_write_iter+0x2aa/0x4d0 mm/filemap.c:3855
generic_file_write_iter+0xd7/0x220 mm/filemap.c:3887
call_write_iter include/linux/fs.h:2057 [inline]
do_iter_readv_writev+0x3d1/0x640 fs/read_write.c:742
do_iter_write+0x182/0x700 fs/read_write.c:868
vfs_iter_write+0x70/0xa0 fs/read_write.c:909
lo_write_bvec drivers/block/loop.c:249 [inline]
lo_write_simple drivers/block/loop.c:271 [inline]
do_req_filebacked drivers/block/loop.c:495 [inline]
loop_handle_cmd drivers/block/loop.c:1859 [inline]
loop_process_work+0xd83/0x2050 drivers/block/loop.c:1894
process_one_work+0x996/0x1610 kernel/workqueue.c:2289
worker_thread+0x665/0x1080 kernel/workqueue.c:2436
kthread+0x2e9/0x3a0 kernel/kthread.c:376
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302
</TASK>
The buggy address belongs to the physical page:
page:ffffea0005c20040 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x170801
flags: 0x57ff00000000000(node=1|zone=2|lastcpupid=0x7ff)
raw: 057ff00000000000 ffffea0005c20048 ffffea0005c20048 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner info is not present (never set?)
Memory state around the buggy address:
ffff888170800f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff888170800f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff888170801000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff888170801080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff888170801100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
next prev parent reply other threads:[~2022-06-10 1:24 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-06-07 13:11 [syzbot] KASAN: use-after-free Read in copy_page_from_iter_atomic (2) syzbot
2022-06-10 1:24 ` syzbot [this message]
2022-06-10 7:10 ` syzbot
2022-06-13 19:39 ` David Sterba
2022-06-14 7:17 ` Christoph Hellwig
2022-06-14 8:50 ` Qu Wenruo
2022-06-15 13:21 ` Christoph Hellwig
2022-06-15 21:27 ` Qu Wenruo
2022-06-16 6:35 ` Christoph Hellwig
2022-06-16 14:57 ` David Sterba
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=0000000000007f13ca05e10dccc0@google.com \
--to=syzbot+d2dd123304b4ae59f1bd@syzkaller.appspotmail.com \
--cc=akpm@linux-foundation.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=syzkaller-bugs@googlegroups.com \
--cc=willy@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.