From: syzbot <syzbot+eda782c229b243c648e9@syzkaller.appspotmail.com>
To: hch@infradead.org, linux-kernel@vger.kernel.org,
syzkaller-bugs@googlegroups.com
Subject: [syzbot] KASAN: use-after-free Read in sysv_new_block
Date: Thu, 01 Dec 2022 04:49:40 -0800 [thread overview]
Message-ID: <0000000000008e23d405eec3a7c4@google.com> (raw)
Hello,
syzbot found the following issue on:
HEAD commit: 01f856ae6d0c Merge tag 'net-6.1-rc8-2' of git://git.kernel..
git tree: upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=15fddbc5880000
kernel config: https://syzkaller.appspot.com/x/.config?x=2325e409a9a893e1
dashboard link: https://syzkaller.appspot.com/bug?extid=eda782c229b243c648e9
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=179d6e75880000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=124b96a7880000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/5428d604f56a/disk-01f856ae.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/e953d290d254/vmlinux-01f856ae.xz
kernel image: https://storage.googleapis.com/syzbot-assets/3f71610a4904/bzImage-01f856ae.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/e2e13128a6e4/mount_1.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+eda782c229b243c648e9@syzkaller.appspotmail.com
sysv_free_block: flc_count > flc_size
sysv_free_block: flc_count > flc_size
sysv_free_block: flc_count > flc_size
sysv_free_block: flc_count > flc_size
sysv_free_block: flc_count > flc_size
sysv_free_block: flc_count > flc_size
sysv_free_block: flc_count > flc_size
sysv_free_block: flc_count > flc_size
sysv_free_block: flc_count > flc_size
sysv_free_block: flc_count > flc_size
==================================================================
BUG: KASAN: use-after-free in sysv_new_block+0x73f/0x910 fs/sysv/balloc.c:113
Read of size 4 at addr ffff8880712d60c8 by task syz-executor118/3633
CPU: 1 PID: 3633 Comm: syz-executor118 Not tainted 6.1.0-rc7-syzkaller-00101-g01f856ae6d0c #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1b1/0x28e lib/dump_stack.c:106
print_address_description+0x74/0x340 mm/kasan/report.c:284
print_report+0x107/0x1f0 mm/kasan/report.c:395
kasan_report+0xcd/0x100 mm/kasan/report.c:495
sysv_new_block+0x73f/0x910 fs/sysv/balloc.c:113
alloc_branch fs/sysv/itree.c:134 [inline]
get_block+0x2b5/0x16d0 fs/sysv/itree.c:251
__block_write_begin_int+0x54c/0x1a80 fs/buffer.c:1991
__block_write_begin fs/buffer.c:2041 [inline]
block_write_begin+0x93/0x1e0 fs/buffer.c:2102
sysv_write_begin+0x2d/0x60 fs/sysv/itree.c:485
generic_perform_write+0x2e4/0x5e0 mm/filemap.c:3753
__generic_file_write_iter+0x176/0x400 mm/filemap.c:3881
generic_file_write_iter+0xab/0x310 mm/filemap.c:3913
call_write_iter include/linux/fs.h:2199 [inline]
new_sync_write fs/read_write.c:491 [inline]
vfs_write+0x7dc/0xc50 fs/read_write.c:584
ksys_write+0x177/0x2a0 fs/read_write.c:637
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f3801c82ee9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 91 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffce2453d28 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f3801c82ee9
RDX: 00000000fffffd5e RSI: 000000002000ad00 RDI: 0000000000000004
RBP: 00007ffce2453e20 R08: 0000000000000031 R09: 0000000000000031
R10: 0000000000009e07 R11: 0000000000000246 R12: 0000000000000048
R13: 00007f3801d0c7e0 R14: 00007ffce2453d82 R15: 00007ffce2453df0
</TASK>
The buggy address belongs to the physical page:
page:ffffea0001c4b580 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x712d6
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 ffffea0001c4b5c8 ffffea0001c4b548 0000000000000000
raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 0, migratetype Movable, gfp_mask 0x8(__GFP_MOVABLE), pid 1, tgid 1 (swapper/0), ts 10227233924, free_ts 11569433830
split_map_pages+0x25b/0x540 mm/compaction.c:97
isolate_freepages_range+0x4ac/0x510 mm/compaction.c:735
alloc_contig_range+0x6a9/0x980 mm/page_alloc.c:9374
__alloc_contig_pages mm/page_alloc.c:9397 [inline]
alloc_contig_pages+0x3c8/0x4e0 mm/page_alloc.c:9474
debug_vm_pgtable_alloc_huge_page+0xcd/0x11e mm/debug_vm_pgtable.c:1098
init_args+0xa3a/0xdba mm/debug_vm_pgtable.c:1221
debug_vm_pgtable+0x9a/0x4a6 mm/debug_vm_pgtable.c:1259
do_one_initcall+0x1c9/0x400 init/main.c:1303
do_initcall_level+0x168/0x218 init/main.c:1376
do_initcalls+0x4b/0x8c init/main.c:1392
kernel_init_freeable+0x428/0x5d5 init/main.c:1631
kernel_init+0x19/0x2b0 init/main.c:1519
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1459 [inline]
free_pcp_prepare+0x80c/0x8f0 mm/page_alloc.c:1509
free_unref_page_prepare mm/page_alloc.c:3387 [inline]
free_unref_page+0x7d/0x5f0 mm/page_alloc.c:3483
free_contig_range+0xa3/0x160 mm/page_alloc.c:9496
destroy_args+0xfe/0x935 mm/debug_vm_pgtable.c:1031
debug_vm_pgtable+0x44d/0x4a6 mm/debug_vm_pgtable.c:1354
do_one_initcall+0x1c9/0x400 init/main.c:1303
do_initcall_level+0x168/0x218 init/main.c:1376
do_initcalls+0x4b/0x8c init/main.c:1392
kernel_init_freeable+0x428/0x5d5 init/main.c:1631
kernel_init+0x19/0x2b0 init/main.c:1519
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306
Memory state around the buggy address:
ffff8880712d5f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff8880712d6000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff8880712d6080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff8880712d6100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff8880712d6180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
next reply other threads:[~2022-12-01 12:49 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-12-01 12:49 syzbot [this message]
2024-02-08 1:37 ` [syzbot] [fs?] KASAN: use-after-free Read in sysv_new_block syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=0000000000008e23d405eec3a7c4@google.com \
--to=syzbot+eda782c229b243c648e9@syzkaller.appspotmail.com \
--cc=hch@infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.