* [syzbot] KASAN: use-after-free Read in bio_poll
@ 2022-05-09 16:14 syzbot
2022-05-09 17:02 ` Jens Axboe
2022-05-09 21:50 ` syzbot
0 siblings, 2 replies; 7+ messages in thread
From: syzbot @ 2022-05-09 16:14 UTC (permalink / raw)
To: andrii, ast, axboe, bpf, daniel, john.fastabend, kafai, kpsingh,
linux-block, linux-kernel, netdev, songliubraving,
syzkaller-bugs, yhs
Hello,
syzbot found the following issue on:
HEAD commit: c5eb0a61238d Linux 5.18-rc6
git tree: upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=112bf03ef00000
kernel config: https://syzkaller.appspot.com/x/.config?x=79caa0035f59d385
dashboard link: https://syzkaller.appspot.com/bug?extid=99938118dfd9e1b0741a
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12311571f00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=177a2e86f00000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+99938118dfd9e1b0741a@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in bio_poll+0x275/0x3c0 block/blk-core.c:942
Read of size 4 at addr ffff8880751d92b4 by task syz-executor486/3607
CPU: 0 PID: 3607 Comm: syz-executor486 Not tainted 5.18.0-rc6-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
print_address_description.constprop.0.cold+0xeb/0x495 mm/kasan/report.c:313
print_report mm/kasan/report.c:429 [inline]
kasan_report.cold+0xf4/0x1c6 mm/kasan/report.c:491
bio_poll+0x275/0x3c0 block/blk-core.c:942
__iomap_dio_rw+0x10ee/0x1ae0 fs/iomap/direct-io.c:658
iomap_dio_rw+0x38/0x90 fs/iomap/direct-io.c:681
ext4_dio_write_iter fs/ext4/file.c:566 [inline]
ext4_file_write_iter+0xe4d/0x1510 fs/ext4/file.c:677
call_write_iter include/linux/fs.h:2050 [inline]
do_iter_readv_writev+0x3d1/0x640 fs/read_write.c:726
do_iter_write+0x182/0x700 fs/read_write.c:852
vfs_writev+0x1aa/0x630 fs/read_write.c:925
do_pwritev+0x1b6/0x270 fs/read_write.c:1022
__do_sys_pwritev2 fs/read_write.c:1081 [inline]
__se_sys_pwritev2 fs/read_write.c:1072 [inline]
__x64_sys_pwritev2+0xeb/0x150 fs/read_write.c:1072
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7f6846af7e69
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fffe8df3bb8 EFLAGS: 00000246 ORIG_RAX: 0000000000000148
RAX: ffffffffffffffda RBX: 0000000000008ff2 RCX: 00007f6846af7e69
RDX: 0000000000000001 RSI: 0000000020000240 RDI: 0000000000000004
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000003
R10: 0000000000001400 R11: 0000000000000246 R12: 00007fffe8df3bdc
R13: 431bde82d7b634db R14: 0000000000000000 R15: 0000000000000000
</TASK>
The buggy address belongs to the physical page:
page:ffffea0001d47640 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x751d9
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 ffffea0001e3d2c8 ffffea00008b7a48 0000000000000000
raw: 0000000000000000 00000000000c0000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x92880(GFP_NOWAIT|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_NOMEMALLOC), pid 3605, tgid 3605 (syz-executor486), ts 36797088171, free_ts 37121806576
prep_new_page mm/page_alloc.c:2441 [inline]
get_page_from_freelist+0xba2/0x3e00 mm/page_alloc.c:4182
__alloc_pages+0x1b2/0x500 mm/page_alloc.c:5408
alloc_pages+0x1aa/0x310 mm/mempolicy.c:2272
alloc_slab_page mm/slub.c:1799 [inline]
allocate_slab+0x26c/0x3c0 mm/slub.c:1944
new_slab mm/slub.c:2004 [inline]
___slab_alloc+0x8df/0xf20 mm/slub.c:3005
__slab_alloc.constprop.0+0x4d/0xa0 mm/slub.c:3092
slab_alloc_node mm/slub.c:3183 [inline]
slab_alloc mm/slub.c:3225 [inline]
__kmem_cache_alloc_lru mm/slub.c:3232 [inline]
kmem_cache_alloc+0x360/0x3b0 mm/slub.c:3242
mempool_alloc+0x146/0x350 mm/mempool.c:392
bio_alloc_bioset+0x31d/0x4e0 block/bio.c:492
bio_alloc include/linux/bio.h:426 [inline]
iomap_dio_bio_iter+0x9bc/0x14c0 fs/iomap/direct-io.c:314
iomap_dio_iter fs/iomap/direct-io.c:435 [inline]
__iomap_dio_rw+0x84a/0x1ae0 fs/iomap/direct-io.c:591
iomap_dio_rw+0x38/0x90 fs/iomap/direct-io.c:681
ext4_dio_write_iter fs/ext4/file.c:566 [inline]
ext4_file_write_iter+0xe4d/0x1510 fs/ext4/file.c:677
call_write_iter include/linux/fs.h:2050 [inline]
do_iter_readv_writev+0x3d1/0x640 fs/read_write.c:726
do_iter_write+0x182/0x700 fs/read_write.c:852
vfs_writev+0x1aa/0x630 fs/read_write.c:925
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1356 [inline]
free_pcp_prepare+0x549/0xd20 mm/page_alloc.c:1406
free_unref_page_prepare mm/page_alloc.c:3328 [inline]
free_unref_page+0x19/0x6a0 mm/page_alloc.c:3423
rcu_do_batch kernel/rcu/tree.c:2535 [inline]
rcu_core+0x7b1/0x1880 kernel/rcu/tree.c:2786
__do_softirq+0x29b/0x9c2 kernel/softirq.c:558
Memory state around the buggy address:
ffff8880751d9180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff8880751d9200: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff8880751d9280: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff8880751d9300: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff8880751d9380: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [syzbot] KASAN: use-after-free Read in bio_poll
2022-05-09 16:14 [syzbot] KASAN: use-after-free Read in bio_poll syzbot
@ 2022-05-09 17:02 ` Jens Axboe
2022-05-10 0:13 ` Ming Lei
2022-05-09 21:50 ` syzbot
1 sibling, 1 reply; 7+ messages in thread
From: Jens Axboe @ 2022-05-09 17:02 UTC (permalink / raw)
To: syzbot, andrii, ast, bpf, daniel, john.fastabend, kafai, kpsingh,
linux-block, linux-kernel, netdev, songliubraving,
syzkaller-bugs, yhs, Ming Lei, Christoph Hellwig
On 5/9/22 10:14 AM, syzbot wrote:
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: c5eb0a61238d Linux 5.18-rc6
> git tree: upstream
> console+strace: https://syzkaller.appspot.com/x/log.txt?x=112bf03ef00000
> kernel config: https://syzkaller.appspot.com/x/.config?x=79caa0035f59d385
> dashboard link: https://syzkaller.appspot.com/bug?extid=99938118dfd9e1b0741a
> compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12311571f00000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=177a2e86f00000
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+99938118dfd9e1b0741a@syzkaller.appspotmail.com
>
> ==================================================================
> BUG: KASAN: use-after-free in bio_poll+0x275/0x3c0 block/blk-core.c:942
> Read of size 4 at addr ffff8880751d92b4 by task syz-executor486/3607
>
> CPU: 0 PID: 3607 Comm: syz-executor486 Not tainted 5.18.0-rc6-syzkaller #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> Call Trace:
> <TASK>
> __dump_stack lib/dump_stack.c:88 [inline]
> dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
> print_address_description.constprop.0.cold+0xeb/0x495 mm/kasan/report.c:313
> print_report mm/kasan/report.c:429 [inline]
> kasan_report.cold+0xf4/0x1c6 mm/kasan/report.c:491
> bio_poll+0x275/0x3c0 block/blk-core.c:942
> __iomap_dio_rw+0x10ee/0x1ae0 fs/iomap/direct-io.c:658
> iomap_dio_rw+0x38/0x90 fs/iomap/direct-io.c:681
> ext4_dio_write_iter fs/ext4/file.c:566 [inline]
> ext4_file_write_iter+0xe4d/0x1510 fs/ext4/file.c:677
> call_write_iter include/linux/fs.h:2050 [inline]
> do_iter_readv_writev+0x3d1/0x640 fs/read_write.c:726
> do_iter_write+0x182/0x700 fs/read_write.c:852
> vfs_writev+0x1aa/0x630 fs/read_write.c:925
> do_pwritev+0x1b6/0x270 fs/read_write.c:1022
> __do_sys_pwritev2 fs/read_write.c:1081 [inline]
> __se_sys_pwritev2 fs/read_write.c:1072 [inline]
> __x64_sys_pwritev2+0xeb/0x150 fs/read_write.c:1072
> do_syscall_x64 arch/x86/entry/common.c:50 [inline]
> do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
> entry_SYSCALL_64_after_hwframe+0x44/0xae
> RIP: 0033:0x7f6846af7e69
Guys, should we just queue:
ommit 9650b453a3d4b1b8ed4ea8bcb9b40109608d1faf
Author: Ming Lei <ming.lei@redhat.com>
Date: Wed Apr 20 22:31:10 2022 +0800
block: ignore RWF_HIPRI hint for sync dio
up for 5.18 and stable?
--
Jens Axboe
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [syzbot] KASAN: use-after-free Read in bio_poll
2022-05-09 16:14 [syzbot] KASAN: use-after-free Read in bio_poll syzbot
2022-05-09 17:02 ` Jens Axboe
@ 2022-05-09 21:50 ` syzbot
1 sibling, 0 replies; 7+ messages in thread
From: syzbot @ 2022-05-09 21:50 UTC (permalink / raw)
To: andrii, ast, axboe, bpf, daniel, hch, john.fastabend, kafai,
kpsingh, linux-block, linux-kernel, ming.lei, netdev,
songliubraving, syzkaller-bugs, yhs
syzbot has bisected this issue to:
commit 0f38d76646157357fcfa02f50575ea044830c494
Author: Christoph Hellwig <hch@lst.de>
Date: Tue Oct 12 10:40:45 2021 +0000
blk-mq: cleanup blk_mq_submit_bio
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=12506f7ef00000
start commit: c5eb0a61238d Linux 5.18-rc6
git tree: upstream
final oops: https://syzkaller.appspot.com/x/report.txt?x=11506f7ef00000
console output: https://syzkaller.appspot.com/x/log.txt?x=16506f7ef00000
kernel config: https://syzkaller.appspot.com/x/.config?x=78013caa620443d6
dashboard link: https://syzkaller.appspot.com/bug?extid=99938118dfd9e1b0741a
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1484cbc1f00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10c7026cf00000
Reported-by: syzbot+99938118dfd9e1b0741a@syzkaller.appspotmail.com
Fixes: 0f38d7664615 ("blk-mq: cleanup blk_mq_submit_bio")
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [syzbot] KASAN: use-after-free Read in bio_poll
2022-05-09 17:02 ` Jens Axboe
@ 2022-05-10 0:13 ` Ming Lei
2022-05-10 5:50 ` Christoph Hellwig
0 siblings, 1 reply; 7+ messages in thread
From: Ming Lei @ 2022-05-10 0:13 UTC (permalink / raw)
To: Jens Axboe
Cc: syzbot, andrii, ast, bpf, daniel, john.fastabend, kafai, kpsingh,
linux-block, linux-kernel, netdev, songliubraving,
syzkaller-bugs, yhs, Christoph Hellwig
On Mon, May 09, 2022 at 11:02:41AM -0600, Jens Axboe wrote:
> On 5/9/22 10:14 AM, syzbot wrote:
> > Hello,
> >
> > syzbot found the following issue on:
> >
> > HEAD commit: c5eb0a61238d Linux 5.18-rc6
> > git tree: upstream
> > console+strace: https://syzkaller.appspot.com/x/log.txt?x=112bf03ef00000
> > kernel config: https://syzkaller.appspot.com/x/.config?x=79caa0035f59d385
> > dashboard link: https://syzkaller.appspot.com/bug?extid=99938118dfd9e1b0741a
> > compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12311571f00000
> > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=177a2e86f00000
> >
> > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > Reported-by: syzbot+99938118dfd9e1b0741a@syzkaller.appspotmail.com
> >
> > ==================================================================
> > BUG: KASAN: use-after-free in bio_poll+0x275/0x3c0 block/blk-core.c:942
> > Read of size 4 at addr ffff8880751d92b4 by task syz-executor486/3607
> >
> > CPU: 0 PID: 3607 Comm: syz-executor486 Not tainted 5.18.0-rc6-syzkaller #0
> > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> > Call Trace:
> > <TASK>
> > __dump_stack lib/dump_stack.c:88 [inline]
> > dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
> > print_address_description.constprop.0.cold+0xeb/0x495 mm/kasan/report.c:313
> > print_report mm/kasan/report.c:429 [inline]
> > kasan_report.cold+0xf4/0x1c6 mm/kasan/report.c:491
> > bio_poll+0x275/0x3c0 block/blk-core.c:942
> > __iomap_dio_rw+0x10ee/0x1ae0 fs/iomap/direct-io.c:658
> > iomap_dio_rw+0x38/0x90 fs/iomap/direct-io.c:681
> > ext4_dio_write_iter fs/ext4/file.c:566 [inline]
> > ext4_file_write_iter+0xe4d/0x1510 fs/ext4/file.c:677
> > call_write_iter include/linux/fs.h:2050 [inline]
> > do_iter_readv_writev+0x3d1/0x640 fs/read_write.c:726
> > do_iter_write+0x182/0x700 fs/read_write.c:852
> > vfs_writev+0x1aa/0x630 fs/read_write.c:925
> > do_pwritev+0x1b6/0x270 fs/read_write.c:1022
> > __do_sys_pwritev2 fs/read_write.c:1081 [inline]
> > __se_sys_pwritev2 fs/read_write.c:1072 [inline]
> > __x64_sys_pwritev2+0xeb/0x150 fs/read_write.c:1072
> > do_syscall_x64 arch/x86/entry/common.c:50 [inline]
> > do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
> > entry_SYSCALL_64_after_hwframe+0x44/0xae
> > RIP: 0033:0x7f6846af7e69
>
> Guys, should we just queue:
>
> ommit 9650b453a3d4b1b8ed4ea8bcb9b40109608d1faf
> Author: Ming Lei <ming.lei@redhat.com>
> Date: Wed Apr 20 22:31:10 2022 +0800
>
> block: ignore RWF_HIPRI hint for sync dio
>
> up for 5.18 and stable?
I am fine with merging to 5.18 & stable.
Thanks,
Ming
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [syzbot] KASAN: use-after-free Read in bio_poll
2022-05-10 0:13 ` Ming Lei
@ 2022-05-10 5:50 ` Christoph Hellwig
2022-05-10 12:45 ` Jens Axboe
0 siblings, 1 reply; 7+ messages in thread
From: Christoph Hellwig @ 2022-05-10 5:50 UTC (permalink / raw)
To: Ming Lei
Cc: Jens Axboe, syzbot, andrii, ast, bpf, daniel, john.fastabend,
kafai, kpsingh, linux-block, linux-kernel, netdev,
songliubraving, syzkaller-bugs, yhs, Christoph Hellwig
On Tue, May 10, 2022 at 08:13:58AM +0800, Ming Lei wrote:
> > Guys, should we just queue:
> >
> > ommit 9650b453a3d4b1b8ed4ea8bcb9b40109608d1faf
> > Author: Ming Lei <ming.lei@redhat.com>
> > Date: Wed Apr 20 22:31:10 2022 +0800
> >
> > block: ignore RWF_HIPRI hint for sync dio
> >
> > up for 5.18 and stable?
>
> I am fine with merging to 5.18 & stable.
I'm fine, too. But are we sure this actually is one and the same
issue? Otherwise I'll try to find some time to feed it to syzbot
first.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [syzbot] KASAN: use-after-free Read in bio_poll
2022-05-10 5:50 ` Christoph Hellwig
@ 2022-05-10 12:45 ` Jens Axboe
2022-05-19 11:01 ` Dmitry Vyukov
0 siblings, 1 reply; 7+ messages in thread
From: Jens Axboe @ 2022-05-10 12:45 UTC (permalink / raw)
To: Christoph Hellwig, Ming Lei
Cc: syzbot, andrii, ast, bpf, daniel, john.fastabend, kafai, kpsingh,
linux-block, linux-kernel, netdev, songliubraving,
syzkaller-bugs, yhs
On 5/9/22 11:50 PM, Christoph Hellwig wrote:
> On Tue, May 10, 2022 at 08:13:58AM +0800, Ming Lei wrote:
>>> Guys, should we just queue:
>>>
>>> ommit 9650b453a3d4b1b8ed4ea8bcb9b40109608d1faf
>>> Author: Ming Lei <ming.lei@redhat.com>
>>> Date: Wed Apr 20 22:31:10 2022 +0800
>>>
>>> block: ignore RWF_HIPRI hint for sync dio
>>>
>>> up for 5.18 and stable?
>>
>> I am fine with merging to 5.18 & stable.
>
> I'm fine, too. But are we sure this actually is one and the same
> issue? Otherwise I'll try to find some time to feed it to syzbot
> first.
I re-wrote the reproducer a bit and can reproduce it, so I can certainly
test a backport. But yes, I was skeptical on this being the same issue
too. My initial reaction was that this is likely due to the bio being
"downgraded" from polled to IRQ driven, and hence completes without an
extra reference before the bio_poll() is done on it. Which is not the
issue described in the referenced commit.
--
Jens Axboe
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [syzbot] KASAN: use-after-free Read in bio_poll
2022-05-10 12:45 ` Jens Axboe
@ 2022-05-19 11:01 ` Dmitry Vyukov
0 siblings, 0 replies; 7+ messages in thread
From: Dmitry Vyukov @ 2022-05-19 11:01 UTC (permalink / raw)
To: syzbot, syzkaller-bugs; +Cc: linux-kernel
On Tue, 10 May 2022 at 14:45, Jens Axboe <axboe@kernel.dk> wrote:
>
> On 5/9/22 11:50 PM, Christoph Hellwig wrote:
> > On Tue, May 10, 2022 at 08:13:58AM +0800, Ming Lei wrote:
> >>> Guys, should we just queue:
> >>>
> >>> ommit 9650b453a3d4b1b8ed4ea8bcb9b40109608d1faf
> >>> Author: Ming Lei <ming.lei@redhat.com>
> >>> Date: Wed Apr 20 22:31:10 2022 +0800
> >>>
> >>> block: ignore RWF_HIPRI hint for sync dio
> >>>
> >>> up for 5.18 and stable?
> >>
> >> I am fine with merging to 5.18 & stable.
> >
> > I'm fine, too. But are we sure this actually is one and the same
> > issue? Otherwise I'll try to find some time to feed it to syzbot
> > first.
>
> I re-wrote the reproducer a bit and can reproduce it, so I can certainly
> test a backport. But yes, I was skeptical on this being the same issue
> too. My initial reaction was that this is likely due to the bio being
> "downgraded" from polled to IRQ driven, and hence completes without an
> extra reference before the bio_poll() is done on it. Which is not the
> issue described in the referenced commit.
#syz fix: block: ignore RWF_HIPRI hint for sync dio
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2022-05-19 11:02 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-05-09 16:14 [syzbot] KASAN: use-after-free Read in bio_poll syzbot
2022-05-09 17:02 ` Jens Axboe
2022-05-10 0:13 ` Ming Lei
2022-05-10 5:50 ` Christoph Hellwig
2022-05-10 12:45 ` Jens Axboe
2022-05-19 11:01 ` Dmitry Vyukov
2022-05-09 21:50 ` syzbot
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.