From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752531AbdA3H0f (ORCPT ); Mon, 30 Jan 2017 02:26:35 -0500 Received: from mail-ua0-f179.google.com ([209.85.217.179]:34529 "EHLO mail-ua0-f179.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752269AbdA3H0Z (ORCPT ); Mon, 30 Jan 2017 02:26:25 -0500 MIME-Version: 1.0 From: Dmitry Vyukov Date: Mon, 30 Jan 2017 08:25:59 +0100 Message-ID: Subject: scsi: use-after-free in sg_start_req To: Doug Gilbert , jejb@linux.vnet.ibm.com, "Martin K. Petersen" , Al Viro , linux-scsi , LKML , Johannes Thumshirn Cc: syzkaller Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hello, The following program triggers use-after-free in sg_start_req: https://gist.githubusercontent.com/dvyukov/be6561d2819fe30a78711234e53866b8/raw/1d75d4508f7a8ebb0b1ec0d18c0054fbffbc0708/gistfile1.txt BUG: KASAN: use-after-free in bio_copy_user_iov+0xee1/0xf00 block/bio.c:1248 at addr ffff8801c8c3ed00 Read of size 8 by task /9023 CPU: 0 PID: 9023 Comm: Not tainted 4.9.0 #5 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d451f420 ffffffff82346bdf ffffffff00000000 1ffff1003a8a3e17 ffffed003a8a3e0f 0000000041b58ab3 ffffffff84b37e38 ffffffff823468f1 ffffffff813183a6 ffff8801d451f0e0 0000000000000000 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0x2ee/0x3ef lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:161 [] print_address_description mm/kasan/report.c:199 [inline] [] kasan_report_error+0x1d1/0x4d0 mm/kasan/report.c:288 [] kasan_report mm/kasan/report.c:308 [inline] [] __asan_report_load8_noabort+0x3e/0x40 mm/kasan/report.c:329 [] bio_copy_user_iov+0xee1/0xf00 block/bio.c:1248 [] __blk_rq_map_user_iov block/blk-map.c:56 [inline] [] blk_rq_map_user_iov+0x2c5/0x970 block/blk-map.c:133 [] blk_rq_map_user+0x134/0x1d0 block/blk-map.c:163 [] sg_start_req drivers/scsi/sg.c:1758 [inline] [] sg_common_write.isra.20+0x12b1/0x1b00 drivers/scsi/sg.c:772 [] sg_write+0x785/0xda0 drivers/scsi/sg.c:675 [] __vfs_write+0x5b1/0x740 fs/read_write.c:510 [] vfs_write+0x170/0x4e0 fs/read_write.c:560 [] SYSC_write fs/read_write.c:607 [inline] [] SyS_write+0xfb/0x230 fs/read_write.c:599 [] entry_SYSCALL_64_fastpath+0x1f/0xc2 Object at ffff8801c8c3ed00, in cache kmalloc-256 size: 256 Allocated: PID = 9032 [ 52.586815] [] save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 [ 52.594037] [] save_stack+0x43/0xd0 mm/kasan/kasan.c:495 [ 52.600735] [] set_track mm/kasan/kasan.c:507 [inline] [ 52.600735] [] kasan_kmalloc+0xaa/0xd0 mm/kasan/kasan.c:598 [ 52.607700] [] __do_kmalloc mm/slab.c:3729 [inline] [ 52.607700] [] __kmalloc+0x12c/0x690 mm/slab.c:3738 [ 52.614520] [] kmalloc include/linux/slab.h:495 [inline] [ 52.614520] [] kzalloc include/linux/slab.h:636 [inline] [ 52.614520] [] sg_build_sgat drivers/scsi/sg.c:1808 [inline] [ 52.614520] [] sg_build_indirect.isra.19+0x8b/0x540 drivers/scsi/sg.c:1834 [ 52.622591] [] sg_build_reserve+0x8d/0xb0 drivers/scsi/sg.c:1965 [ 52.629815] [] sg_add_sfp drivers/scsi/sg.c:2152 [inline] [ 52.629815] [] sg_open+0xcb1/0x15b0 drivers/scsi/sg.c:329 [ 52.636503] [] chrdev_open+0x253/0x6b0 fs/char_dev.c:392 [ 52.643451] [] do_dentry_open+0x6ca/0xc50 fs/open.c:753 [ 52.650660] [] vfs_open+0x105/0x220 fs/open.c:866 [ 52.657351] [] do_last fs/namei.c:3374 [inline] [ 52.657351] [] path_openat+0x100f/0x3830 fs/namei.c:3497 [ 52.664488] [] do_filp_open+0x288/0x3f0 fs/namei.c:3532 [ 52.671538] [] do_sys_open+0x535/0x710 fs/open.c:1053 [ 52.678484] [] SYSC_open fs/open.c:1071 [inline] [ 52.678484] [] SyS_open+0x2d/0x40 fs/open.c:1066 [ 52.685000] [] entry_SYSCALL_64_fastpath+0x1f/0xc2 Freed: PID = 9032 [ 52.697636] [] save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 [ 52.704842] [] save_stack+0x43/0xd0 mm/kasan/kasan.c:495 [ 52.711522] [] set_track mm/kasan/kasan.c:507 [inline] [ 52.711522] [] kasan_slab_free+0x6f/0xb0 mm/kasan/kasan.c:571 [ 52.718640] [] __cache_free mm/slab.c:3507 [inline] [ 52.718640] [] kfree+0xd3/0x250 mm/slab.c:3824 [ 52.724979] [] sg_remove_scat.isra.16+0x212/0x2d0 drivers/scsi/sg.c:1916 [ 52.732879] [] sg_ioctl+0x1903/0x3840 drivers/scsi/sg.c:970 [ 52.739745] [] vfs_ioctl fs/ioctl.c:43 [inline] [ 52.739745] [] do_vfs_ioctl+0x1bf/0x1630 fs/ioctl.c:679 [ 52.746866] [] SYSC_ioctl fs/ioctl.c:694 [inline] [ 52.746866] [] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:685 [ 52.753478] [] entry_SYSCALL_64_fastpath+0x1f/0xc2 On commit ca63ff9b11f958efafd8c8fa60fda14baec6149c