All of lore.kernel.org
 help / color / mirror / Atom feed
From: syzbot <syzbot+8e8958586909d62b6840@syzkaller.appspotmail.com>
To: axboe@kernel.dk, efremov@linux.com, linux-block@vger.kernel.org,
	linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com
Subject: [syzbot] KASAN: use-after-free Read in setup_rw_floppy
Date: Tue, 01 Feb 2022 23:28:27 -0800	[thread overview]
Message-ID: <000000000000b71cdd05d703f6bf@google.com> (raw)

Hello,

syzbot found the following issue on:

HEAD commit:    26291c54e111 Linux 5.17-rc2
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=108fb648700000
kernel config:  https://syzkaller.appspot.com/x/.config?x=9bdff1d807acada
dashboard link: https://syzkaller.appspot.com/bug?extid=8e8958586909d62b6840
compiler:       gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2

Unfortunately, I don't have any reproducer for this issue yet.

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+8e8958586909d62b6840@syzkaller.appspotmail.com

==================================================================
BUG: KASAN: use-after-free in setup_rw_floppy+0x84a/0x9e0 drivers/block/floppy.c:1518
Read of size 1 at addr ffff888026a5fe35 by task kworker/u16:4/3773

CPU: 2 PID: 3773 Comm: kworker/u16:4 Not tainted 5.17.0-rc2-syzkaller #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014
Workqueue: floppy fd_timer_workfn
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
 print_address_description.constprop.0.cold+0x8d/0x303 mm/kasan/report.c:255
 __kasan_report mm/kasan/report.c:442 [inline]
 kasan_report.cold+0x83/0xdf mm/kasan/report.c:459
 setup_rw_floppy+0x84a/0x9e0 drivers/block/floppy.c:1518
 seek_floppy drivers/block/floppy.c:1639 [inline]
 floppy_ready drivers/block/floppy.c:1956 [inline]
 floppy_ready+0x345/0x1850 drivers/block/floppy.c:1927
 process_one_work+0x9ac/0x1650 kernel/workqueue.c:2307
 worker_thread+0x657/0x1110 kernel/workqueue.c:2454
 kthread+0x2e9/0x3a0 kernel/kthread.c:377
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
 </TASK>

Allocated by task 16034:
 kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
 kasan_set_track mm/kasan/common.c:45 [inline]
 set_alloc_info mm/kasan/common.c:436 [inline]
 ____kasan_kmalloc mm/kasan/common.c:515 [inline]
 ____kasan_kmalloc mm/kasan/common.c:474 [inline]
 __kasan_kmalloc+0xa6/0xd0 mm/kasan/common.c:524
 kasan_kmalloc include/linux/kasan.h:270 [inline]
 kmem_cache_alloc_trace+0x1ea/0x4a0 mm/slab.c:3567
 kmalloc include/linux/slab.h:581 [inline]
 raw_cmd_copyin drivers/block/floppy.c:3095 [inline]
 raw_cmd_ioctl drivers/block/floppy.c:3162 [inline]
 fd_locked_ioctl+0x100e/0x2830 drivers/block/floppy.c:3530
 fd_ioctl+0x35/0x50 drivers/block/floppy.c:3557
 blkdev_ioctl+0x37a/0x800 block/ioctl.c:588
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:874 [inline]
 __se_sys_ioctl fs/ioctl.c:860 [inline]
 __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:860
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae

Freed by task 16034:
 kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
 kasan_set_track+0x21/0x30 mm/kasan/common.c:45
 kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:370
 ____kasan_slab_free mm/kasan/common.c:366 [inline]
 ____kasan_slab_free mm/kasan/common.c:328 [inline]
 __kasan_slab_free+0xee/0x130 mm/kasan/common.c:374
 kasan_slab_free include/linux/kasan.h:236 [inline]
 __cache_free mm/slab.c:3437 [inline]
 kfree+0xf6/0x290 mm/slab.c:3794
 raw_cmd_free+0x8a/0x1c0 drivers/block/floppy.c:3079
 raw_cmd_ioctl drivers/block/floppy.c:3182 [inline]
 fd_locked_ioctl+0x207e/0x2830 drivers/block/floppy.c:3530
 fd_ioctl+0x35/0x50 drivers/block/floppy.c:3557
 blkdev_ioctl+0x37a/0x800 block/ioctl.c:588
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:874 [inline]
 __se_sys_ioctl fs/ioctl.c:860 [inline]
 __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:860
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae

Last potentially related work creation:
 kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
 __kasan_record_aux_stack+0x7e/0x90 mm/kasan/generic.c:348
 kvfree_call_rcu+0x74/0x990 kernel/rcu/tree.c:3591
 __hw_addr_flush+0x152/0x240 net/core/dev_addr_lists.c:488
 dev_addr_flush+0x1d/0x50 net/core/dev_addr_lists.c:533
 free_netdev+0x1f5/0x5b0 net/core/dev.c:10283
 netdev_run_todo+0x8a0/0xaa0 net/core/dev.c:9964
 ip_tunnel_delete_nets+0x3a4/0x5b0 net/ipv4/ip_tunnel.c:1124
 ops_exit_list+0x125/0x170 net/core/net_namespace.c:173
 cleanup_net+0x4ea/0xb00 net/core/net_namespace.c:597
 process_one_work+0x9ac/0x1650 kernel/workqueue.c:2307
 worker_thread+0x657/0x1110 kernel/workqueue.c:2454
 kthread+0x2e9/0x3a0 kernel/kthread.c:377
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295

Second to last potentially related work creation:
 kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
 __kasan_record_aux_stack+0x7e/0x90 mm/kasan/generic.c:348
 kvfree_call_rcu+0x74/0x990 kernel/rcu/tree.c:3591
 drop_sysctl_table+0x3c0/0x4e0 fs/proc/proc_sysctl.c:1705
 unregister_sysctl_table fs/proc/proc_sysctl.c:1743 [inline]
 unregister_sysctl_table+0xc0/0x190 fs/proc/proc_sysctl.c:1718
 mpls_dev_sysctl_unregister net/mpls/af_mpls.c:1441 [inline]
 mpls_dev_notify+0x4fb/0x8a0 net/mpls/af_mpls.c:1654
 notifier_call_chain+0xb5/0x200 kernel/notifier.c:84
 call_netdevice_notifiers_info+0xb5/0x130 net/core/dev.c:1919
 call_netdevice_notifiers_extack net/core/dev.c:1931 [inline]
 call_netdevice_notifiers net/core/dev.c:1945 [inline]
 unregister_netdevice_many+0x964/0x1850 net/core/dev.c:10415
 ip_tunnel_delete_nets+0x39f/0x5b0 net/ipv4/ip_tunnel.c:1123
 ops_exit_list+0x125/0x170 net/core/net_namespace.c:173
 cleanup_net+0x4ea/0xb00 net/core/net_namespace.c:597
 process_one_work+0x9ac/0x1650 kernel/workqueue.c:2307
 worker_thread+0x657/0x1110 kernel/workqueue.c:2454
 kthread+0x2e9/0x3a0 kernel/kthread.c:377
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295

The buggy address belongs to the object at ffff888026a5fe00
 which belongs to the cache kmalloc-128 of size 128
The buggy address is located 53 bytes inside of
 128-byte region [ffff888026a5fe00, ffff888026a5fe80)
The buggy address belongs to the page:
page:ffffea00009a97c0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x26a5f
flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000200 ffffea000083f648 ffffea0000657d48 ffff888010c40400
raw: 0000000000000000 ffff888026a5f000 0000000100000010 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x242220(__GFP_HIGH|__GFP_ATOMIC|__GFP_NOWARN|__GFP_COMP|__GFP_THISNODE), pid 7589, ts 856054219165, free_ts 610363186592
 prep_new_page mm/page_alloc.c:2434 [inline]
 get_page_from_freelist+0xa72/0x2f50 mm/page_alloc.c:4165
 __alloc_pages_slowpath.constprop.0+0x2eb/0x20d0 mm/page_alloc.c:4934
 __alloc_pages+0x412/0x500 mm/page_alloc.c:5402
 __alloc_pages_node include/linux/gfp.h:572 [inline]
 kmem_getpages mm/slab.c:1378 [inline]
 cache_grow_begin+0x75/0x350 mm/slab.c:2584
 cache_alloc_refill+0x27f/0x380 mm/slab.c:2957
 ____cache_alloc mm/slab.c:3040 [inline]
 ____cache_alloc mm/slab.c:3023 [inline]
 __do_cache_alloc mm/slab.c:3267 [inline]
 slab_alloc mm/slab.c:3308 [inline]
 kmem_cache_alloc_trace+0x380/0x4a0 mm/slab.c:3565
 kmalloc include/linux/slab.h:581 [inline]
 __hw_addr_create net/core/dev_addr_lists.c:58 [inline]
 __hw_addr_add_ex+0x22d/0x7e0 net/core/dev_addr_lists.c:116
 __hw_addr_add net/core/dev_addr_lists.c:133 [inline]
 dev_addr_init+0x13a/0x220 net/core/dev_addr_lists.c:556
 alloc_netdev_mqs+0x280/0x1070 net/core/dev.c:10180
 ip6gre_init_net+0x1b6/0x630 net/ipv6/ip6_gre.c:1593
 ops_init+0xaf/0x470 net/core/net_namespace.c:140
 setup_net+0x554/0xbb0 net/core/net_namespace.c:330
 copy_net_ns+0x318/0x760 net/core/net_namespace.c:474
 create_new_namespaces+0x3f6/0xb20 kernel/nsproxy.c:110
 unshare_nsproxy_namespaces+0xc1/0x1f0 kernel/nsproxy.c:226
 ksys_unshare+0x445/0x920 kernel/fork.c:3048
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1352 [inline]
 free_pcp_prepare+0x374/0x870 mm/page_alloc.c:1404
 free_unref_page_prepare mm/page_alloc.c:3325 [inline]
 free_unref_page_list+0x1a9/0xfa0 mm/page_alloc.c:3441
 release_pages+0x317/0x1220 mm/swap.c:980
 tlb_batch_pages_flush mm/mmu_gather.c:50 [inline]
 tlb_flush_mmu_free mm/mmu_gather.c:243 [inline]
 tlb_flush_mmu mm/mmu_gather.c:250 [inline]
 tlb_finish_mmu+0x165/0x8c0 mm/mmu_gather.c:341
 exit_mmap+0x21b/0x670 mm/mmap.c:3180
 __mmput+0x122/0x4b0 kernel/fork.c:1114
 mmput+0x56/0x60 kernel/fork.c:1135
 exit_mm kernel/exit.c:507 [inline]
 do_exit+0xa3c/0x2a30 kernel/exit.c:793
 do_group_exit+0xd2/0x2f0 kernel/exit.c:935
 __do_sys_exit_group kernel/exit.c:946 [inline]
 __se_sys_exit_group kernel/exit.c:944 [inline]
 __x64_sys_exit_group+0x3a/0x50 kernel/exit.c:944
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae

Memory state around the buggy address:
 ffff888026a5fd00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888026a5fd80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff888026a5fe00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                     ^
 ffff888026a5fe80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff888026a5ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc
==================================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

                 reply	other threads:[~2022-02-02  7:28 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=000000000000b71cdd05d703f6bf@google.com \
    --to=syzbot+8e8958586909d62b6840@syzkaller.appspotmail.com \
    --cc=axboe@kernel.dk \
    --cc=efremov@linux.com \
    --cc=linux-block@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=syzkaller-bugs@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.