From: Pavel Begunkov <asml.silence@gmail.com>
To: syzbot <syzbot+12056a09a0311d758e60@syzkaller.appspotmail.com>
Cc: axboe@kernel.dk, io-uring@vger.kernel.org,
linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
syzkaller-bugs@googlegroups.com, viro@zeniv.linux.org.uk
Subject: Re: KASAN: use-after-free Read in idr_for_each (2)
Date: Fri, 18 Dec 2020 15:43:57 +0000 [thread overview]
Message-ID: <af4caaab-93c0-622f-9ab0-e540eb3bc049@gmail.com> (raw)
In-Reply-To: <00000000000052c1e805b52dfa16@google.com>
On 28/11/2020 17:19, syzbot wrote:
> syzbot has found a reproducer for the following issue on:
>
> HEAD commit: c84e1efa Merge tag 'asm-generic-fixes-5.10-2' of git://git..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=1251d759500000
> kernel config: https://syzkaller.appspot.com/x/.config?x=cb8d1a3819ba4356
> dashboard link: https://syzkaller.appspot.com/bug?extid=12056a09a0311d758e60
> compiler: gcc (GCC) 10.1.0-syz 20200507
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1126cce9500000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1173d2e9500000
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+12056a09a0311d758e60@syzkaller.appspotmail.com
>
> ==================================================================
> BUG: KASAN: use-after-free in radix_tree_next_slot include/linux/radix-tree.h:422 [inline]
> BUG: KASAN: use-after-free in idr_for_each+0x206/0x220 lib/idr.c:202
> Read of size 8 at addr ffff888032eb2c40 by task kworker/u4:4/186
>
> CPU: 1 PID: 186 Comm: kworker/u4:4 Not tainted 5.10.0-rc5-syzkaller #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> Workqueue: events_unbound io_ring_exit_work
> Call Trace:
> __dump_stack lib/dump_stack.c:77 [inline]
> dump_stack+0x107/0x163 lib/dump_stack.c:118
> print_address_description.constprop.0.cold+0xae/0x4c8 mm/kasan/report.c:385
> __kasan_report mm/kasan/report.c:545 [inline]
> kasan_report.cold+0x1f/0x37 mm/kasan/report.c:562
> radix_tree_next_slot include/linux/radix-tree.h:422 [inline]
> idr_for_each+0x206/0x220 lib/idr.c:202
> io_destroy_buffers fs/io_uring.c:8275 [inline]
> io_ring_ctx_free fs/io_uring.c:8298 [inline]
> io_ring_exit_work+0x3f7/0x7a0 fs/io_uring.c:8375
> process_one_work+0x933/0x15a0 kernel/workqueue.c:2272
> worker_thread+0x64c/0x1120 kernel/workqueue.c:2418
> kthread+0x3b1/0x4a0 kernel/kthread.c:292
> ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296
>
> Allocated by task 10961:
> kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48
> kasan_set_track mm/kasan/common.c:56 [inline]
> __kasan_kmalloc.constprop.0+0xc2/0xd0 mm/kasan/common.c:461
> slab_post_alloc_hook mm/slab.h:526 [inline]
> slab_alloc_node mm/slub.c:2891 [inline]
> slab_alloc mm/slub.c:2899 [inline]
> kmem_cache_alloc+0x122/0x460 mm/slub.c:2904
> radix_tree_node_alloc.constprop.0+0x7c/0x350 lib/radix-tree.c:274
> idr_get_free+0x4c5/0x940 lib/radix-tree.c:1504
> idr_alloc_u32+0x170/0x2d0 lib/idr.c:46
> idr_alloc+0xc2/0x130 lib/idr.c:87
> io_provide_buffers fs/io_uring.c:4032 [inline]
> io_issue_sqe+0x2fc4/0x3d10 fs/io_uring.c:6012
> __io_queue_sqe+0x132/0xda0 fs/io_uring.c:6232
> io_queue_sqe+0x623/0x11f0 fs/io_uring.c:6298
> io_submit_sqe fs/io_uring.c:6367 [inline]
> io_submit_sqes+0x15e1/0x28a0 fs/io_uring.c:6596
> __do_sys_io_uring_enter+0xc90/0x1ab0 fs/io_uring.c:8983
> do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
> entry_SYSCALL_64_after_hwframe+0x44/0xa9
>
> Freed by task 8546:
> kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48
> kasan_set_track+0x1c/0x30 mm/kasan/common.c:56
> kasan_set_free_info+0x1b/0x30 mm/kasan/generic.c:355
> __kasan_slab_free+0x102/0x140 mm/kasan/common.c:422
> slab_free_hook mm/slub.c:1544 [inline]
> slab_free_freelist_hook+0x5d/0x150 mm/slub.c:1577
> slab_free mm/slub.c:3142 [inline]
> kmem_cache_free+0x82/0x350 mm/slub.c:3158
> rcu_do_batch kernel/rcu/tree.c:2476 [inline]
> rcu_core+0x5df/0xe80 kernel/rcu/tree.c:2711
> __do_softirq+0x2a0/0x9f6 kernel/softirq.c:298
>
> Last call_rcu():
> kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48
> kasan_record_aux_stack+0xc0/0xf0 mm/kasan/generic.c:346
> __call_rcu kernel/rcu/tree.c:2953 [inline]
> call_rcu+0xbb/0x700 kernel/rcu/tree.c:3027
> radix_tree_node_free lib/radix-tree.c:308 [inline]
> delete_node+0x591/0x8c0 lib/radix-tree.c:571
> __radix_tree_delete+0x190/0x370 lib/radix-tree.c:1377
> radix_tree_delete_item+0xe7/0x230 lib/radix-tree.c:1428
> __io_remove_buffers fs/io_uring.c:3930 [inline]
> __io_remove_buffers fs/io_uring.c:3909 [inline]
> __io_destroy_buffers+0x161/0x200 fs/io_uring.c:8269
> idr_for_each+0x113/0x220 lib/idr.c:208
> io_destroy_buffers fs/io_uring.c:8275 [inline]
> io_ring_ctx_free fs/io_uring.c:8298 [inline]
> io_ring_exit_work+0x3f7/0x7a0 fs/io_uring.c:8375
> process_one_work+0x933/0x15a0 kernel/workqueue.c:2272
> worker_thread+0x64c/0x1120 kernel/workqueue.c:2418
> kthread+0x3b1/0x4a0 kernel/kthread.c:292
> ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296
>
> The buggy address belongs to the object at ffff888032eb2c00
> which belongs to the cache radix_tree_node of size 576
> The buggy address is located 64 bytes inside of
> 576-byte region [ffff888032eb2c00, ffff888032eb2e40)
> The buggy address belongs to the page:
> page:00000000102f3139 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x32eb0
> head:00000000102f3139 order:2 compound_mapcount:0 compound_pincount:0
> flags: 0xfff00000010200(slab|head)
> raw: 00fff00000010200 dead000000000100 dead000000000122 ffff88801004db40
> raw: 0000000000000000 0000000000170017 00000001ffffffff 0000000000000000
> page dumped because: kasan: bad access detected
>
> Memory state around the buggy address:
> ffff888032eb2b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff888032eb2b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>> ffff888032eb2c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ^
> ffff888032eb2c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff888032eb2d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ==================================================================
>
#syz test: git://git.kernel.dk/linux-block dfea9fce29fda6f2f91161677e0e0d9b671bc099
--
Pavel Begunkov
next prev parent reply other threads:[~2020-12-18 15:47 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-10-05 8:56 KASAN: use-after-free Read in idr_for_each (2) syzbot
2020-11-28 17:19 ` syzbot
2020-12-18 15:43 ` Pavel Begunkov [this message]
2020-12-18 16:44 ` syzbot
2021-03-19 10:38 ` Pavel Begunkov
2021-03-19 11:02 ` [syzbot] " syzbot
[not found] ` <20201129113429.13660-1-hdanton@sina.com>
2020-11-29 12:26 ` Matthew Wilcox
2020-11-30 17:43 ` Jens Axboe
2021-04-15 18:28 ` [syzbot] " syzbot
2021-04-19 12:09 ` Pavel Begunkov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=af4caaab-93c0-622f-9ab0-e540eb3bc049@gmail.com \
--to=asml.silence@gmail.com \
--cc=axboe@kernel.dk \
--cc=io-uring@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=syzbot+12056a09a0311d758e60@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.