Re: [syzbot] [netfs?] KASAN: slab-use-after-free Write in io_submit_one

All of lore.kernel.org
 help / color / mirror / Atom feed

From: syzbot <syzbot+e1dc29a4daf3f8051130@syzkaller.appspotmail.com>
To: eadavis@qq.com, linux-kernel@vger.kernel.org,
	 syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [netfs?] KASAN: slab-use-after-free Write in io_submit_one
Date: Fri, 14 Feb 2025 18:19:02 -0800	[thread overview]
Message-ID: <67aff996.050a0220.21dd3.0062.GAE@google.com> (raw)
In-Reply-To: <tencent_531E37224ACA755D7751666E3C2736789709@qq.com>

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault in netfs_read_collection

Oops: general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] PREEMPT SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]
CPU: 1 UID: 0 PID: 103 Comm: kworker/u32:5 Not tainted 6.14.0-rc2-syzkaller-g78a632a2086c-dirty #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Workqueue: events_unbound netfs_read_collection_worker
RIP: 0010:netfs_rreq_assess_dio fs/netfs/read_collect.c:374 [inline]
RIP: 0010:netfs_read_collection+0x3045/0x3ce0 fs/netfs/read_collect.c:440
Code: 0f 85 16 0b 00 00 4d 03 a6 88 02 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 65 08 49 8b 6e 58 48 8d 7d 10 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 de 0a 00 00 4c 8b 65 10 4d 85 e4 74 7d e8 e3 55
RSP: 0018:ffffc9000171fb10 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: ffff88804a5f6dd8 RCX: ffffffff82668821
RDX: 0000000000000002 RSI: ffffffff826680c3 RDI: 0000000000000010
RBP: 0000000000000000 R08: 0000000000000004 R09: 0000000000000001
R10: 0000000000000001 R11: 0000000000000001 R12: 00000000ff010000
R13: ffff88804a5f7008 R14: ffff88804a5f6d80 R15: ffff88804a5f6f98
FS:  0000000000000000(0000) GS:ffff88806a700000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b3185ffff CR3: 000000002a4a6000 CR4: 0000000000352ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 netfs_read_collection_worker+0x285/0x350 fs/netfs/read_collect.c:466
 process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3236
 process_scheduled_works kernel/workqueue.c:3317 [inline]
 worker_thread+0x6c8/0xf00 kernel/workqueue.c:3398
 kthread+0x3af/0x750 kernel/kthread.c:464
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:netfs_rreq_assess_dio fs/netfs/read_collect.c:374 [inline]
RIP: 0010:netfs_read_collection+0x3045/0x3ce0 fs/netfs/read_collect.c:440
Code: 0f 85 16 0b 00 00 4d 03 a6 88 02 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 65 08 49 8b 6e 58 48 8d 7d 10 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 de 0a 00 00 4c 8b 65 10 4d 85 e4 74 7d e8 e3 55
RSP: 0018:ffffc9000171fb10 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: ffff88804a5f6dd8 RCX: ffffffff82668821
RDX: 0000000000000002 RSI: ffffffff826680c3 RDI: 0000000000000010
RBP: 0000000000000000 R08: 0000000000000004 R09: 0000000000000001
R10: 0000000000000001 R11: 0000000000000001 R12: 00000000ff010000
R13: ffff88804a5f7008 R14: ffff88804a5f6d80 R15: ffff88804a5f6f98
FS:  0000000000000000(0000) GS:ffff88806a700000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b3185ffff CR3: 000000002a4a6000 CR4: 0000000000352ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	0f 85 16 0b 00 00    	jne    0xb1c
   6:	4d 03 a6 88 02 00 00 	add    0x288(%r14),%r12
   d:	48 b8 00 00 00 00 00 	movabs $0xdffffc0000000000,%rax
  14:	fc ff df
  17:	4c 89 65 08          	mov    %r12,0x8(%rbp)
  1b:	49 8b 6e 58          	mov    0x58(%r14),%rbp
  1f:	48 8d 7d 10          	lea    0x10(%rbp),%rdi
  23:	48 89 fa             	mov    %rdi,%rdx
  26:	48 c1 ea 03          	shr    $0x3,%rdx
* 2a:	80 3c 02 00          	cmpb   $0x0,(%rdx,%rax,1) <-- trapping instruction
  2e:	0f 85 de 0a 00 00    	jne    0xb12
  34:	4c 8b 65 10          	mov    0x10(%rbp),%r12
  38:	4d 85 e4             	test   %r12,%r12
  3b:	74 7d                	je     0xba
  3d:	e8                   	.byte 0xe8
  3e:	e3 55                	jrcxz  0x95


Tested on:

commit:         78a632a2 Merge tag 'pci-v6.14-fixes-3' of git://git.ke..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=109b19a4580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=c09dc55ba7f798e3
dashboard link: https://syzkaller.appspot.com/bug?extid=e1dc29a4daf3f8051130
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=17df8bf8580000

next prev parent reply	other threads:[~2025-02-15  2:19 UTC|newest]

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-02-14  5:55 [syzbot] [netfs?] KASAN: slab-use-after-free Write in io_submit_one syzbot
2025-02-14 12:46 ` Edward Adam Davis
2025-02-14 12:57   ` [syzbot] " syzbot
2025-02-15  0:59 ` Edward Adam Davis
2025-02-15  1:23   ` [syzbot] " syzbot
2025-02-15  2:00 ` Edward Adam Davis
2025-02-15  2:19   ` syzbot [this message]
2025-02-15  2:36 ` Edward Adam Davis
2025-02-15  2:57   ` [syzbot] " syzbot
2025-02-15  3:50 ` Edward Adam Davis
2025-02-15  3:51   ` [syzbot] " syzbot
2025-02-15  4:10 ` Edward Adam Davis
2025-02-15  4:32   ` [syzbot] " syzbot
2025-02-15  5:15 ` Edward Adam Davis
2025-02-15  5:38   ` [syzbot] " syzbot
2025-02-15  7:43 ` Hillf Danton
2025-02-15  8:10   ` syzbot
2025-02-15  9:42 ` [PATCH] netfs: Prevent race conditions between aio read and read collection worker Edward Adam Davis

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=67aff996.050a0220.21dd3.0062.GAE@google.com \
    --to=syzbot+e1dc29a4daf3f8051130@syzkaller.appspotmail.com \
    --cc=eadavis@qq.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=syzkaller-bugs@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.