* [Bug 213539] New: KASAN: use-after-free Write in ext4_put_super
@ 2021-06-21 15:16 bugzilla-daemon
2021-06-21 15:17 ` [Bug 213539] " bugzilla-daemon
` (3 more replies)
0 siblings, 4 replies; 5+ messages in thread
From: bugzilla-daemon @ 2021-06-21 15:16 UTC (permalink / raw)
To: linux-ext4
https://bugzilla.kernel.org/show_bug.cgi?id=213539
Bug ID: 213539
Summary: KASAN: use-after-free Write in ext4_put_super
Product: File System
Version: 2.5
Kernel Version: 5.13-rc4
Hardware: x86-64
OS: Linux
Tree: Mainline
Status: NEW
Severity: normal
Priority: P1
Component: ext4
Assignee: fs_ext4@kernel-bugs.osdl.org
Reporter: 6201613047@stu.jiangnan.edu.cn
Regression: No
Created attachment 297549
--> https://bugzilla.kernel.org/attachment.cgi?id=297549&action=edit
log0
==================================================================
BUG: KASAN: use-after-free in kthread_stop+0x33/0x370
Write of size 4 at addr ffff8880308eade8 by task syz-executor.3/402
EXT4-fs (loop7): mount failed
CPU: 0 PID: 402 Comm: syz-executor.3 Not tainted 5.13.0-rc3+ #2
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1
04/01/2014
Call Trace:
dump_stack+0xaf/0xf2
print_address_description.constprop.8+0x1a/0x150
kasan_report.cold.13+0x7f/0x111
kasan_check_range+0x198/0x200
kthread_stop+0x33/0x370
ext4_put_super+0x7a4/0xce0
generic_shutdown_super+0x14a/0x370
kill_block_super+0x94/0xe0
deactivate_locked_super+0x7f/0xe0
deactivate_super+0xb2/0xc0
cleanup_mnt+0x2ec/0x450
task_work_run+0x101/0x1a0
exit_to_user_mode_prepare+0x132/0x140
syscall_exit_to_user_mode+0x12/0x20
do_syscall_64+0x48/0x80
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x46b1b7
Code: ff d0 48 89 c7 b8 3c 00 00 00 0f 05 48 c7 c1 bc ff ff ff f7 d8 64 89 01
48 83 c8 ff c3 66 0f 1f 44 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01
c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffd5db62af8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 000000000046b1b7
RDX: 0000000000404502 RSI: 0000000000000002 RDI: 00007ffd5db62bc0
RBP: 00007ffd5db62bc0 R08: 00000000032b0083 R09: 000000000000000b
R10: 00000000fffffffb R11: 0000000000000246 R12: 00000000004d17aa
R13: 00007ffd5db63c70 R14: 0000000000000004 R15: 0000000000000032
Allocated by task 2:
kasan_save_stack+0x19/0x40
__kasan_slab_alloc+0x68/0x80
kmem_cache_alloc_node+0xd3/0x200
copy_process+0x174e/0x66e0
kernel_clone+0xbd/0x950
kernel_thread+0xa7/0xe0
kthreadd+0x3c8/0x520
ret_from_fork+0x22/0x30
Freed by task 12813:
kasan_save_stack+0x19/0x40
kasan_set_track+0x1c/0x30
kasan_set_free_info+0x20/0x30
__kasan_slab_free+0xe2/0x110
kmem_cache_free+0x77/0x280
__put_task_struct+0x22a/0x4f0
delayed_put_task_struct+0x120/0x160
rcu_core+0x555/0x14e0
__do_softirq+0x17f/0x578
Last potentially related work creation:
kasan_save_stack+0x19/0x40
kasan_record_aux_stack+0xa3/0xb0
call_rcu+0x76/0xac0
put_task_struct_rcu_user+0x61/0x90
finish_task_switch+0x48a/0x670
__schedule+0x873/0x18f0
preempt_schedule_common+0x16/0x50
__cond_resched+0x18/0x20
write_mmp_block+0x308/0x580
kmmpd+0x3e5/0x990
kthread+0x32a/0x3f0
ret_from_fork+0x22/0x30
Second to last potentially related work creation:
kasan_save_stack+0x19/0x40
kasan_record_aux_stack+0xa3/0xb0
call_rcu+0x76/0xac0
put_task_struct_rcu_user+0x61/0x90
finish_task_switch+0x48a/0x670
__schedule+0x873/0x18f0
schedule+0xb8/0x250
exit_to_user_mode_prepare+0x97/0x140
irqentry_exit_to_user_mode+0x5/0x20
asm_sysvec_apic_timer_interrupt+0x12/0x20
The buggy address belongs to the object at ffff8880308eadc0
which belongs to the cache task_struct of size 3776
The buggy address is located 40 bytes inside of
3776-byte region [ffff8880308eadc0, ffff8880308ebc80)
The buggy address belongs to the page:
page:00000000af281d24 refcount:1 mapcount:0 mapping:0000000000000000
index:0xffff8880308e8f40 pfn:0x308e8
head:00000000af281d24 order:3 compound_mapcount:0 compound_pincount:0
flags: 0x100000000010200(slab|head|node=0|zone=1)
raw: 0100000000010200 0000000000000000 0000000100000001 ffff88800112cdc0
raw: ffff8880308e8f40 0000000080080006 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8880308eac80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8880308ead00: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
>ffff8880308ead80: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
^
ffff8880308eae00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880308eae80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
------------[ cut here ]------------
refcount_t: addition on 0; use-after-free.
WARNING: CPU: 0 PID: 402 at lib/refcount.c:25
refcount_warn_saturate+0x130/0x1a0
Modules linked in:
CPU: 0 PID: 402 Comm: syz-executor.3 Tainted: G B 5.13.0-rc3+ #2
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1
04/01/2014
RIP: 0010:refcount_warn_saturate+0x130/0x1a0
Code: e8 35 1e 66 ff 80 3d b9 2e de 02 00 0f 85 59 ff ff ff e8 23 1e 66 ff 48
c7 c7 40 41 36 ba c6 05 a0 2e de 02 01 e8 e9 5b 98 01 <0f> 0b e9 3a ff ff ff e8
04 1e 66 ff 80 3d 8a 2e de 02 00 0f 85 28
RSP: 0018:ffff88802ea0fd70 EFLAGS: 00010286
RAX: 0000000000000000 RBX: 0000000000000002 RCX: ffffffffb784f048
RDX: ffff888003215b80 RSI: 0000000000000000 RDI: ffff88806d22622c
RBP: ffff8880308eade8 R08: ffffed100da45cbb R09: ffffed100da45cbb
R10: ffff88806d22e5d7 R11: ffffed100da45cba R12: ffff8880308eade8
R13: 0000000000000000 R14: ffff888001c7e270 R15: dffffc0000000000
FS: 00000000032ae940(0000) GS:ffff88806d200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000032b0000 CR3: 000000002e9f6001 CR4: 0000000000370ef0
Call Trace:
kthread_stop+0x320/0x370
ext4_put_super+0x7a4/0xce0
generic_shutdown_super+0x14a/0x370
kill_block_super+0x94/0xe0
deactivate_locked_super+0x7f/0xe0
deactivate_super+0xb2/0xc0
cleanup_mnt+0x2ec/0x450
task_work_run+0x101/0x1a0
exit_to_user_mode_prepare+0x132/0x140
syscall_exit_to_user_mode+0x12/0x20
do_syscall_64+0x48/0x80
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x46b1b7
Code: ff d0 48 89 c7 b8 3c 00 00 00 0f 05 48 c7 c1 bc ff ff ff f7 d8 64 89 01
48 83 c8 ff c3 66 0f 1f 44 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01
c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffd5db62af8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 000000000046b1b7
RDX: 0000000000404502 RSI: 0000000000000002 RDI: 00007ffd5db62bc0
RBP: 00007ffd5db62bc0 R08: 00000000032b0083 R09: 000000000000000b
R10: 00000000fffffffb R11: 0000000000000246 R12: 00000000004d17aa
R13: 00007ffd5db63c70 R14: 0000000000000004 R15: 0000000000000032
---[ end trace 852a0a8b5201e68c ]---
loop2: detected capacity change from 0 to 4096
Quota error (device loop2): v2_read_file_info: Free block number too big (0 >=
0).
EXT4-fs warning (device loop2): ext4_enable_quotas:6472: Failed to enable quota
tracking (type=0, err=-117). Please run e2fsck to fix.
EXT4-fs (loop2): mount failed
loop6: detected capacity change from 0 to 545
loop4: detected capacity change from 0 to 544
EXT4-fs error (device loop4): ext4_quota_enable:6432: comm syz-executor.4: Bad
quota inode # 3
EXT4-fs warning (device loop4): ext4_enable_quotas:6472: Failed to enable quota
tracking (type=0, err=-116). Please run e2fsck to fix.
EXT4-fs (loop4): mount failed
loop1: detected capacity change from 0 to 544
ext4 filesystem being mounted at
/syzkaller-testdir919013516/syzkaller.s42ayS/269/file0 supports timestamps
until 2038 (0x7fffffff)
EXT4-fs (loop6): re-mounted. Opts: (null). Quota mode: writeback.
loop6: detected capacity change from 0 to 545
loop7: detected capacity change from 0 to 544
EXT4-fs error (device loop7): ext4_quota_enable:6432: comm syz-executor.7: Bad
quota inode # 3
EXT4-fs warning (device loop7): ext4_enable_quotas:6472: Failed to enable quota
tracking (type=0, err=-116). Please run e2fsck to fix.
loop2: detected capacity change from 0 to 4096
EXT4-fs error (device loop1): ext4_quota_enable:6432: comm syz-executor.1: Bad
quota inode # 3
EXT4-fs warning (device loop1): ext4_enable_quotas:6472: Failed to enable quota
tracking (type=0, err=-116). Please run e2fsck to fix.
loop4: detected capacity change from 0 to 544
EXT4-fs (loop1): mount failed
EXT4-fs (loop7): mount failed
ext4 filesystem being mounted at
/syzkaller-testdir919013516/syzkaller.s42ayS/270/file0 supports timestamps
until 2038 (0x7fffffff)
EXT4-fs (loop6): re-mounted. Opts: (null). Quota mode: writeback.
Quota error (device loop2): v2_read_file_info: Free block number too big (0 >=
0).
EXT4-fs error (device loop4): ext4_quota_enable:6432: comm syz-executor.4: Bad
quota inode # 3
EXT4-fs warning (device loop4): ext4_enable_quotas:6472: Failed to enable quota
tracking (type=0, err=-116). Please run e2fsck to fix.
EXT4-fs warning (device loop2): ext4_enable_quotas:6472: Failed to enable quota
tracking (type=0, err=-117). Please run e2fsck to fix.
EXT4-fs (loop4): mount failed
EXT4-fs (loop2): mount failed
general protection fault, probably for non-canonical address 0xc823ddfe220008:
0000 [#1] SMP KASAN PTI
CPU: 0 PID: 12905 Comm: systemd-udevd Tainted: G B W 5.13.0-rc3+
#2
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1
04/01/2014
RIP: 0010:qlist_free_all+0x8d/0xd0
Code: 85 db 75 cf b8 00 00 00 80 48 01 f0 72 53 4c 89 fa 48 2b 15 3d c2 c2 02
48 01 d0 48 c1 e8 0c 48 c1 e0 06 48 03 05 1b c2 c2 02 <48> 8b 50 08 48 8d 4a ff
83 e2 01 48 0f 45 c1 48 8b 78 18 eb 94 49
RSP: 0018:ffff888003cbf700 EFLAGS: 00010207
RAX: 00c823ddfe220000 RBX: 0000000000000000 RCX: 0000000000080006
RDX: 0000777f80000000 RSI: 320dffff888004dc RDI: 0000000000000000
RBP: 320dffff888004dc R08: 0000000000000000 R09: ffffffffb7be1f00
R10: ffff8880308eadc2 R11: 0000000000000001 R12: dffffc0000000000
R13: ffffffffb7be1f36 R14: ffff888003cbf738 R15: ffffffff80000000
FS: 00007f3e9659c8c0(0000) GS:ffff88806d200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffc4c53aea7 CR3: 0000000008c8a006 CR4: 0000000000370ef0
Call Trace:
kasan_quarantine_reduce+0x117/0x140
__kasan_slab_alloc+0x7a/0x80
kmem_cache_alloc_node+0xd3/0x200
__alloc_skb+0x201/0x320
alloc_skb_with_frags+0x87/0x4b0
sock_alloc_send_pskb+0x68b/0x7f0
unix_dgram_sendmsg+0x38d/0x12c0
sock_sendmsg+0x132/0x170
sock_write_iter+0x241/0x390
new_sync_write+0x418/0x5c0
vfs_write+0x445/0x730
ksys_write+0x1ac/0x1f0
do_syscall_64+0x3c/0x80
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7f3e956e31b0
Code: 2e 0f 1f 84 00 00 00 00 00 90 48 8b 05 19 7e 20 00 c3 0f 1f 84 00 00 00
00 00 83 3d 19 c2 20 00 00 75 10 b8 01 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31
c3 48 83 ec 08 e8 ae fc ff ff 48 89 04 24
RSP: 002b:00007ffc4c53d038 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00005569587229f0 RCX: 00007f3e956e31b0
RDX: 0000000000000000 RSI: 00007ffc4c53d0f0 RDI: 0000000000000008
RBP: 00007ffc4c53d1b0 R08: 00005569587210a4 R09: 0000000000000000
R10: 0000000000000004 R11: 0000000000000246 R12: 00007ffc4c53d100
R13: 000055695871d7e0 R14: 0000000000000003 R15: 000000000000000e
Modules linked in:
---[ end trace 852a0a8b5201e68d ]---
RIP: 0010:qlist_free_all+0x8d/0xd0
Code: 85 db 75 cf b8 00 00 00 80 48 01 f0 72 53 4c 89 fa 48 2b 15 3d c2 c2 02
48 01 d0 48 c1 e8 0c 48 c1 e0 06 48 03 05 1b c2 c2 02 <48> 8b 50 08 48 8d 4a ff
83 e2 01 48 0f 45 c1 48 8b 78 18 eb 94 49
RSP: 0018:ffff888003cbf700 EFLAGS: 00010207
RAX: 00c823ddfe220000 RBX: 0000000000000000 RCX: 0000000000080006
RDX: 0000777f80000000 RSI: 320dffff888004dc RDI: 0000000000000000
RBP: 320dffff888004dc R08: 0000000000000000 R09: ffffffffb7be1f00
R10: ffff8880308eadc2 R11: 0000000000000001 R12: dffffc0000000000
R13: ffffffffb7be1f36 R14: ffff888003cbf738 R15: ffffffff80000000
--
You may reply to this email to add a comment.
You are receiving this mail because:
You are watching the assignee of the bug.
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug 213539] KASAN: use-after-free Write in ext4_put_super
2021-06-21 15:16 [Bug 213539] New: KASAN: use-after-free Write in ext4_put_super bugzilla-daemon
@ 2021-06-21 15:17 ` bugzilla-daemon
2021-06-25 4:37 ` bugzilla-daemon
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: bugzilla-daemon @ 2021-06-21 15:17 UTC (permalink / raw)
To: linux-ext4
https://bugzilla.kernel.org/show_bug.cgi?id=213539
--- Comment #1 from 6201613047@stu.jiangnan.edu.cn ---
Created attachment 297551
--> https://bugzilla.kernel.org/attachment.cgi?id=297551&action=edit
report0
--
You may reply to this email to add a comment.
You are receiving this mail because:
You are watching the assignee of the bug.
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug 213539] KASAN: use-after-free Write in ext4_put_super
2021-06-21 15:16 [Bug 213539] New: KASAN: use-after-free Write in ext4_put_super bugzilla-daemon
2021-06-21 15:17 ` [Bug 213539] " bugzilla-daemon
@ 2021-06-25 4:37 ` bugzilla-daemon
2021-06-25 13:13 ` bugzilla-daemon
2021-06-25 13:34 ` bugzilla-daemon
3 siblings, 0 replies; 5+ messages in thread
From: bugzilla-daemon @ 2021-06-25 4:37 UTC (permalink / raw)
To: linux-ext4
https://bugzilla.kernel.org/show_bug.cgi?id=213539
--- Comment #2 from 6201613047@stu.jiangnan.edu.cn ---
This bug can be repro, if you need it, please tell me.
Thanks
--
You may reply to this email to add a comment.
You are receiving this mail because:
You are watching the assignee of the bug.
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug 213539] KASAN: use-after-free Write in ext4_put_super
2021-06-21 15:16 [Bug 213539] New: KASAN: use-after-free Write in ext4_put_super bugzilla-daemon
2021-06-21 15:17 ` [Bug 213539] " bugzilla-daemon
2021-06-25 4:37 ` bugzilla-daemon
@ 2021-06-25 13:13 ` bugzilla-daemon
2021-06-25 13:34 ` bugzilla-daemon
3 siblings, 0 replies; 5+ messages in thread
From: bugzilla-daemon @ 2021-06-25 13:13 UTC (permalink / raw)
To: linux-ext4
https://bugzilla.kernel.org/show_bug.cgi?id=213539
--- Comment #3 from 6201613047@stu.jiangnan.edu.cn ---
Created attachment 297611
--> https://bugzilla.kernel.org/attachment.cgi?id=297611&action=edit
kernel config
--
You may reply to this email to add a comment.
You are receiving this mail because:
You are watching the assignee of the bug.
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug 213539] KASAN: use-after-free Write in ext4_put_super
2021-06-21 15:16 [Bug 213539] New: KASAN: use-after-free Write in ext4_put_super bugzilla-daemon
` (2 preceding siblings ...)
2021-06-25 13:13 ` bugzilla-daemon
@ 2021-06-25 13:34 ` bugzilla-daemon
3 siblings, 0 replies; 5+ messages in thread
From: bugzilla-daemon @ 2021-06-25 13:34 UTC (permalink / raw)
To: linux-ext4
https://bugzilla.kernel.org/show_bug.cgi?id=213539
--- Comment #4 from 6201613047@stu.jiangnan.edu.cn ---
And the poc also can cause another BUG sometimes: BUG: KASAN: double-free or
invalid-free in __put_task_struct+0x22a/0x4f0. The log is as follow.
[ 25.942673]
==================================================================
[ 25.944029] BUG: KASAN: double-free or invalid-free in
__put_task_struct+0x22a/0x4f0
[ 25.945550]
[ 25.945872] CPU: 0 PID: 336 Comm: poc Tainted: G B D W
5.13.0-rc3+ #2
[ 25.947304] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.10.2-1ubuntu1 04/01/2014
[ 25.948439] ext4 filesystem being mounted at /root/syzkaller.OKJyCQ/24/file0
supports timestamps until 2038 (0x7fffffff)
[ 25.949472] Call Trace:
[ 25.949476] dump_stack+0xaf/0xf2
[ 25.949483] print_address_description.constprop.8+0x1a/0x150
[ 25.949490] ? __put_task_struct+0x22a/0x4f0
[ 25.949495] kasan_report_invalid_free+0x50/0x80
[ 25.949500] ? __put_task_struct+0x22a/0x4f0
[ 25.949505] __kasan_slab_free+0xfe/0x110
[ 25.949528] ? __put_task_struct+0x22a/0x4f0
[ 25.949532] kmem_cache_free+0x77/0x280
[ 25.958044] EXT4-fs (loop4): re-mounted. Opts: (null). Quota mode:
writeback.
[ 25.959010] __put_task_struct+0x22a/0x4f0
[ 25.959031] kthread_stop+0x2cf/0x370
[ 25.959036] destroy_workqueue+0xff/0x700
[ 25.959041] ? ext4_quota_write+0x600/0x600
[ 25.959046] ext4_put_super+0xdb/0xce0
[ 25.959050] ? ext4_quota_write+0x600/0x600
[ 25.959054] generic_shutdown_super+0x14a/0x370
[ 25.959059] kill_block_super+0x94/0xe0
[ 25.959064] deactivate_locked_super+0x7f/0xe0
[ 25.959069] deactivate_super+0xb2/0xc0
[ 25.970853] cleanup_mnt+0x2ec/0x450
[ 25.971622] task_work_run+0x101/0x1a0
[ 25.972437] exit_to_user_mode_prepare+0x132/0x140
[ 25.973434] syscall_exit_to_user_mode+0x12/0x20
[ 25.974330] do_syscall_64+0x48/0x80
[ 25.975106] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 25.976128] RIP: 0033:0x7f1c1389fd77
[ 25.976898] Code: 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00
31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01
f0 ff ff 73 01 c3 48 8b 0d f1 00 2b 00 f7 d8 64 89 01 48
[ 25.980943] RSP: 002b:00007fffa72c1428 EFLAGS: 00000206 ORIG_RAX:
00000000000000a6
[ 25.982628] RAX: 0000000000000000 RBX: 0000000000000000 RCX:
00007f1c1389fd77
[ 25.984122] RDX: 00007fffa72c150a RSI: 0000000000000002 RDI:
00007fffa72c1500
[ 25.985529] RBP: 00007fffa72c2510 R08: 000055b1e31fd083 R09:
000000000000000a
[ 25.987042] R10: 0000000000000073 R11: 0000000000000206 R12:
000055b1e1c010b0
[ 25.988471] R13: 00007fffa72c2660 R14: 0000000000000000 R15:
0000000000000000
[ 25.989922]
[ 25.990300] Allocated by task 131072:
[ 25.991327] ------------[ cut here ]------------
[ 25.992295] slab index 131072 out of bounds (119) for stack id 00020000
[ 25.993720] WARNING: CPU: 0 PID: 336 at lib/stackdepot.c:237
stack_depot_fetch+0x5d/0x70
[ 25.995543] Modules linked in:
[ 25.996309] CPU: 0 PID: 336 Comm: poc Tainted: G B D W
5.13.0-rc3+ #2
[ 25.997974] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.10.2-1ubuntu1 04/01/2014
[ 26.000094] RIP: 0010:stack_depot_fetch+0x5d/0x70
[ 26.001017] Code: 74 2d 48 c1 e0 04 25 f0 3f 00 00 48 01 d0 48 8d 50 18 48
89 16 8b 40 0c c3 89 f9 44 89 c6 48 c7 c7 d0 47 fb 87 e8 1c b6 8e 01 <0f> 0b 31
c0 c3 31 c0 c3 90 66 2e 0f 1f 84 00 00 00 00 00 48 63 15
[ 26.004698] RSP: 0018:ffff8880088bfc50 EFLAGS: 00010086
[ 26.005798] RAX: 0000000000000000 RBX: ffff8880075d8e02 RCX:
ffffffff8504f048
[ 26.007441] RDX: ffff888001868000 RSI: 0000000000000000 RDI:
ffff888068c1f598
[ 26.009075] RBP: ffffea00001d7600 R08: ffffed100d183eb4 R09:
ffffed100d183eb4
[ 26.010611] R10: ffff888068c1f59b R11: ffffed100d183eb3 R12:
ffff88800112cdc0
[ 26.012196] R13: ffff8880075d8e00 R14: ffff8880075d9b80 R15:
0000000000000000
[ 26.013861] FS: 00007f1c13d74480(0000) GS:ffff888068c00000(0000)
knlGS:0000000000000000
[ 26.015540] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 26.016872] CR2: 00007ffc569bbcd7 CR3: 0000000008810000 CR4:
00000000000006f0
[ 26.018480] Call Trace:
[ 26.019002] print_stack+0x9/0x18
[ 26.019737] print_address_description.constprop.8.cold.12+0x185/0x18a
[ 26.021019] ? __put_task_struct+0x22a/0x4f0
[ 26.021976] kasan_report_invalid_free+0x50/0x80
[ 26.022911] ? __put_task_struct+0x22a/0x4f0
[ 26.023805] __kasan_slab_free+0xfe/0x110
[ 26.024598] ? __put_task_struct+0x22a/0x4f0
[ 26.025502] kmem_cache_free+0x77/0x280
[ 26.026293] __put_task_struct+0x22a/0x4f0
[ 26.027094] kthread_stop+0x2cf/0x370
[ 26.027827] destroy_workqueue+0xff/0x700
[ 26.028729] ? ext4_quota_write+0x600/0x600
[ 26.029851] ext4_put_super+0xdb/0xce0
[ 26.030690] ? ext4_quota_write+0x600/0x600
[ 26.031724] generic_shutdown_super+0x14a/0x370
[ 26.032753] kill_block_super+0x94/0xe0
[ 26.033593] deactivate_locked_super+0x7f/0xe0
[ 26.034426] deactivate_super+0xb2/0xc0
[ 26.035226] cleanup_mnt+0x2ec/0x450
[ 26.035964] task_work_run+0x101/0x1a0
[ 26.036711] exit_to_user_mode_prepare+0x132/0x140
[ 26.037644] syscall_exit_to_user_mode+0x12/0x20
[ 26.038541] do_syscall_64+0x48/0x80
[ 26.039299] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 26.040245] RIP: 0033:0x7f1c1389fd77
[ 26.040952] Code: 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00
31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01
f0 ff ff 73 01 c3 48 8b 0d f1 00 2b 00 f7 d8 64 89 01 48
[ 26.044786] RSP: 002b:00007fffa72c1428 EFLAGS: 00000206 ORIG_RAX:
00000000000000a6
[ 26.046353] RAX: 0000000000000000 RBX: 0000000000000000 RCX:
00007f1c1389fd77
[ 26.047859] RDX: 00007fffa72c150a RSI: 0000000000000002 RDI:
00007fffa72c1500
[ 26.049397] RBP: 00007fffa72c2510 R08: 000055b1e31fd083 R09:
000000000000000a
[ 26.051028] R10: 0000000000000073 R11: 0000000000000206 R12:
000055b1e1c010b0
[ 26.052424] R13: 00007fffa72c2660 R14: 0000000000000000 R15:
0000000000000000
[ 26.053764] ---[ end trace d8fc4879a76a1704 ]---
[ 26.054669] ------------[ cut here ]------------
[ 26.055673] WARNING: CPU: 0 PID: 336 at kernel/stacktrace.c:28
stack_trace_print+0x16/0x20
[ 26.057321] Modules linked in:
[ 26.057960] CPU: 0 PID: 336 Comm: poc Tainted: G B D W
5.13.0-rc3+ #2
[ 26.059328] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.10.2-1ubuntu1 04/01/2014
[ 26.061085] RIP: 0010:stack_trace_print+0x16/0x20
[ 26.061987] Code: 00 00 75 06 48 83 c4 60 5b c3 e8 e5 50 4b 02 0f 1f 44 00
00 41 55 41 54 55 53 48 85 ff 74 0b 85 f6 75 0b 5b 5d 41 5c 41 5d c3 <0f> 0b eb
f5 e9 37 44 40 02 90 41 57 41 56 41 55 41 54 55 53 48 83
[ 26.065636] RSP: 0018:ffff8880088bfc30 EFLAGS: 00010046
[ 26.066639] RAX: 0000000000000000 RBX: ffff8880075d8e02 RCX:
ffffffff8504f048
[ 26.068078] RDX: 0000000000000000 RSI: 0000000000000000 RDI:
0000000000000000
[ 26.069440] RBP: ffffea00001d7600 R08: ffffed100d183eb4 R09:
ffffed100d183eb4
[ 26.071029] R10: ffff888068c1f59b R11: ffffed100d183eb3 R12:
ffff88800112cdc0
[ 26.072404] R13: ffff8880075d8e00 R14: ffff8880075d9b80 R15:
0000000000000000
[ 26.074029] FS: 00007f1c13d74480(0000) GS:ffff888068c00000(0000)
knlGS:0000000000000000
[ 26.075887] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 26.077192] CR2: 00007ffc569bbcd7 CR3: 0000000008810000 CR4:
00000000000006f0
[ 26.078700] Call Trace:
[ 26.079225] print_stack+0x16/0x18
[ 26.079906] print_address_description.constprop.8.cold.12+0x185/0x18a
[ 26.081193] ? __put_task_struct+0x22a/0x4f0
[ 26.082049] kasan_report_invalid_free+0x50/0x80
[ 26.082957] ? __put_task_struct+0x22a/0x4f0
[ 26.083799] __kasan_slab_free+0xfe/0x110
[ 26.084603] ? __put_task_struct+0x22a/0x4f0
[ 26.085479] kmem_cache_free+0x77/0x280
[ 26.086284] __put_task_struct+0x22a/0x4f0
[ 26.087056] kthread_stop+0x2cf/0x370
[ 26.087806] destroy_workqueue+0xff/0x700
[ 26.088556] ? ext4_quota_write+0x600/0x600
[ 26.089397] ext4_put_super+0xdb/0xce0
[ 26.090374] ? ext4_quota_write+0x600/0x600
[ 26.091299] generic_shutdown_super+0x14a/0x370
[ 26.092227] kill_block_super+0x94/0xe0
[ 26.092945] deactivate_locked_super+0x7f/0xe0
[ 26.093835] deactivate_super+0xb2/0xc0
[ 26.094663] cleanup_mnt+0x2ec/0x450
[ 26.095389] task_work_run+0x101/0x1a0
[ 26.096137] exit_to_user_mode_prepare+0x132/0x140
[ 26.097104] syscall_exit_to_user_mode+0x12/0x20
[ 26.098144] do_syscall_64+0x48/0x80
[ 26.098849] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 26.099909] RIP: 0033:0x7f1c1389fd77
[ 26.100749] Code: 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00
31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01
f0 ff ff 73 01 c3 48 8b 0d f1 00 2b 00 f7 d8 64 89 01 48
[ 26.104349] RSP: 002b:00007fffa72c1428 EFLAGS: 00000206 ORIG_RAX:
00000000000000a6
[ 26.105947] RAX: 0000000000000000 RBX: 0000000000000000 RCX:
00007f1c1389fd77
[ 26.107476] RDX: 00007fffa72c150a RSI: 0000000000000002 RDI:
00007fffa72c1500
[ 26.108963] RBP: 00007fffa72c2510 R08: 000055b1e31fd083 R09:
000000000000000a
[ 26.110389] R10: 0000000000000073 R11: 0000000000000206 R12:
000055b1e1c010b0
[ 26.111832] R13: 00007fffa72c2660 R14: 0000000000000000 R15:
0000000000000000
[ 26.113173] ---[ end trace d8fc4879a76a1705 ]---
[ 26.114104]
[ 26.114411] Last potentially related work creation:
[ 26.115400] kasan_save_stack+0x19/0x40
[ 26.116078] kasan_record_aux_stack+0xa3/0xb0
[ 26.116964] call_rcu+0x76/0xac0
[ 26.117646] put_task_struct_rcu_user+0x61/0x90
[ 26.118554] finish_task_switch+0x48a/0x670
[ 26.119366] __schedule+0x873/0x18f0
[ 26.120116] preempt_schedule_common+0x16/0x50
[ 26.121022] __cond_resched+0x18/0x20
[ 26.121867] wait_for_completion+0x69/0x260
[ 26.122774] kthread_stop+0xf1/0x370
[ 26.123470] destroy_workqueue+0xff/0x700
[ 26.124307] ext4_put_super+0xdb/0xce0
[ 26.125078] generic_shutdown_super+0x14a/0x370
[ 26.125959] kill_block_super+0x94/0xe0
[ 26.126758] deactivate_locked_super+0x7f/0xe0
[ 26.127618] deactivate_super+0xb2/0xc0
[ 26.128299] cleanup_mnt+0x2ec/0x450
[ 26.128958] task_work_run+0x101/0x1a0
[ 26.129690] exit_to_user_mode_prepare+0x132/0x140
[ 26.130709] syscall_exit_to_user_mode+0x12/0x20
[ 26.131670] do_syscall_64+0x48/0x80
[ 26.132349] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 26.133458]
[ 26.133856] Second to last potentially related work creation:
[ 26.135165] ------------[ cut here ]------------
[ 26.136254] slab index 41440 out of bounds (119) for stack id e2a0a1e0
[ 26.137534] WARNING: CPU: 0 PID: 336 at lib/stackdepot.c:237
stack_depot_fetch+0x5d/0x70
[ 26.139039] Modules linked in:
[ 26.139778] CPU: 0 PID: 336 Comm: poc Tainted: G B D W
5.13.0-rc3+ #2
[ 26.141483] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.10.2-1ubuntu1 04/01/2014
[ 26.143417] RIP: 0010:stack_depot_fetch+0x5d/0x70
[ 26.144331] Code: 74 2d 48 c1 e0 04 25 f0 3f 00 00 48 01 d0 48 8d 50 18 48
89 16 8b 40 0c c3 89 f9 44 89 c6 48 c7 c7 d0 47 fb 87 e8 1c b6 8e 01 <0f> 0b 31
c0 c3 31 c0 c3 90 66 2e 0f 1f 84 00 00 00 00 00 48 63 15
[ 26.147905] RSP: 0018:ffff8880088bfc50 EFLAGS: 00010086
[ 26.148949] RAX: 0000000000000000 RBX: ffff8880075d8e02 RCX:
ffffffff8504f048
[ 26.150298] RDX: ffff888001868000 RSI: 0000000000000000 RDI:
ffff888068c1f598
[ 26.151800] RBP: ffffea00001d7600 R08: ffffed100d183eb4 R09:
ffffed100d183eb4
[ 26.153203] R10: ffff888068c1f59b R11: ffffed100d183eb3 R12:
ffff88800112cdc0
[ 26.154663] R13: ffff8880075d8e00 R14: ffff8880075d9b80 R15:
0000000000000000
[ 26.156163] FS: 00007f1c13d74480(0000) GS:ffff888068c00000(0000)
knlGS:0000000000000000
[ 26.157652] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 26.158793] CR2: 00007ffc569bbcd7 CR3: 0000000008810000 CR4:
00000000000006f0
[ 26.160229] Call Trace:
[ 26.160772] print_stack+0x9/0x18
[ 26.161550] print_address_description.constprop.8.cold.12+0x12b/0x18a
[ 26.162872] ? __put_task_struct+0x22a/0x4f0
[ 26.163770] kasan_report_invalid_free+0x50/0x80
[ 26.164760] ? __put_task_struct+0x22a/0x4f0
[ 26.165614] __kasan_slab_free+0xfe/0x110
[ 26.166382] ? __put_task_struct+0x22a/0x4f0
[ 26.167213] kmem_cache_free+0x77/0x280
[ 26.167915] __put_task_struct+0x22a/0x4f0
[ 26.168732] kthread_stop+0x2cf/0x370
[ 26.169485] destroy_workqueue+0xff/0x700
[ 26.170300] ? ext4_quota_write+0x600/0x600
[ 26.171151] ext4_put_super+0xdb/0xce0
[ 26.171893] ? ext4_quota_write+0x600/0x600
[ 26.172721] generic_shutdown_super+0x14a/0x370
[ 26.173628] kill_block_super+0x94/0xe0
[ 26.174366] deactivate_locked_super+0x7f/0xe0
[ 26.175283] deactivate_super+0xb2/0xc0
[ 26.176021] cleanup_mnt+0x2ec/0x450
[ 26.176698] task_work_run+0x101/0x1a0
[ 26.177432] exit_to_user_mode_prepare+0x132/0x140
[ 26.178462] syscall_exit_to_user_mode+0x12/0x20
[ 26.179371] do_syscall_64+0x48/0x80
[ 26.180145] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 26.181364] RIP: 0033:0x7f1c1389fd77
[ 26.182104] Code: 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00
31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01
f0 ff ff 73 01 c3 48 8b 0d f1 00 2b 00 f7 d8 64 89 01 48
[ 26.185719] RSP: 002b:00007fffa72c1428 EFLAGS: 00000206 ORIG_RAX:
00000000000000a6
[ 26.187183] RAX: 0000000000000000 RBX: 0000000000000000 RCX:
00007f1c1389fd77
[ 26.188577] RDX: 00007fffa72c150a RSI: 0000000000000002 RDI:
00007fffa72c1500
[ 26.190070] RBP: 00007fffa72c2510 R08: 000055b1e31fd083 R09:
000000000000000a
[ 26.191547] R10: 0000000000000073 R11: 0000000000000206 R12:
000055b1e1c010b0
[ 26.193007] R13: 00007fffa72c2660 R14: 0000000000000000 R15:
0000000000000000
[ 26.194514] ---[ end trace d8fc4879a76a1706 ]---
[ 26.195530] ------------[ cut here ]------------
[ 26.196570] WARNING: CPU: 0 PID: 336 at kernel/stacktrace.c:28
stack_trace_print+0x16/0x20
[ 26.198604] Modules linked in:
[ 26.199275] CPU: 0 PID: 336 Comm: poc Tainted: G B D W
5.13.0-rc3+ #2
[ 26.200824] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.10.2-1ubuntu1 04/01/2014
[ 26.202582] RIP: 0010:stack_trace_print+0x16/0x20
[ 26.203443] Code: 00 00 75 06 48 83 c4 60 5b c3 e8 e5 50 4b 02 0f 1f 44 00
00 41 55 41 54 55 53 48 85 ff 74 0b 85 f6 75 0b 5b 5d 41 5c 41 5d c3 <0f> 0b eb
f5 e9 37 44 40 02 90 41 57 41 56 41 55 41 54 55 53 48 83
[ 26.207062] RSP: 0018:ffff8880088bfc30 EFLAGS: 00010046
[ 26.208146] RAX: 0000000000000000 RBX: ffff8880075d8e02 RCX:
ffffffff8504f048
[ 26.209688] RDX: 0000000000000000 RSI: 0000000000000000 RDI:
0000000000000000
[ 26.211005] RBP: ffffea00001d7600 R08: ffffed100d183eb4 R09:
ffffed100d183eb4
[ 26.212375] R10: ffff888068c1f59b R11: ffffed100d183eb3 R12:
ffff88800112cdc0
[ 26.214077] R13: ffff8880075d8e00 R14: ffff8880075d9b80 R15:
0000000000000000
[ 26.215431] FS: 00007f1c13d74480(0000) GS:ffff888068c00000(0000)
knlGS:0000000000000000
[ 26.216898] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 26.217980] CR2: 00007ffc569bbcd7 CR3: 0000000008810000 CR4:
00000000000006f0
[ 26.219375] Call Trace:
[ 26.219931] print_stack+0x16/0x18
[ 26.220621] print_address_description.constprop.8.cold.12+0x12b/0x18a
[ 26.222082] ? __put_task_struct+0x22a/0x4f0
[ 26.223018] kasan_report_invalid_free+0x50/0x80
[ 26.223902] ? __put_task_struct+0x22a/0x4f0
[ 26.224850] __kasan_slab_free+0xfe/0x110
[ 26.225682] ? __put_task_struct+0x22a/0x4f0
[ 26.226662] kmem_cache_free+0x77/0x280
[ 26.227496] __put_task_struct+0x22a/0x4f0
[ 26.228348] kthread_stop+0x2cf/0x370
[ 26.229216] destroy_workqueue+0xff/0x700
[ 26.230125] ? ext4_quota_write+0x600/0x600
[ 26.231218] ext4_put_super+0xdb/0xce0
[ 26.232073] ? ext4_quota_write+0x600/0x600
[ 26.233026] generic_shutdown_super+0x14a/0x370
[ 26.233985] kill_block_super+0x94/0xe0
[ 26.234790] deactivate_locked_super+0x7f/0xe0
[ 26.235624] deactivate_super+0xb2/0xc0
[ 26.236420] cleanup_mnt+0x2ec/0x450
[ 26.237129] task_work_run+0x101/0x1a0
[ 26.237977] exit_to_user_mode_prepare+0x132/0x140
[ 26.238961] syscall_exit_to_user_mode+0x12/0x20
[ 26.239822] do_syscall_64+0x48/0x80
[ 26.240574] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 26.241829] RIP: 0033:0x7f1c1389fd77
[ 26.242562] Code: 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00
31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01
f0 ff ff 73 01 c3 48 8b 0d f1 00 2b 00 f7 d8 64 89 01 48
[ 26.246192] RSP: 002b:00007fffa72c1428 EFLAGS: 00000206 ORIG_RAX:
00000000000000a6
[ 26.247587] RAX: 0000000000000000 RBX: 0000000000000000 RCX:
00007f1c1389fd77
[ 26.248997] RDX: 00007fffa72c150a RSI: 0000000000000002 RDI:
00007fffa72c1500
[ 26.250314] RBP: 00007fffa72c2510 R08: 000055b1e31fd083 R09:
000000000000000a
[ 26.251786] R10: 0000000000000073 R11: 0000000000000206 R12:
000055b1e1c010b0
[ 26.253364] R13: 00007fffa72c2660 R14: 0000000000000000 R15:
0000000000000000
[ 26.254782] ---[ end trace d8fc4879a76a1707 ]---
[ 26.255930]
[ 26.256317] The buggy address belongs to the object at ffff8880075d8e00
[ 26.256317] which belongs to the cache task_struct of size 3456
[ 26.259145] The buggy address is located 2 bytes inside of
[ 26.259145] 3456-byte region [ffff8880075d8e00, ffff8880075d9b80)
[ 26.261404] The buggy address belongs to the page:
[ 26.262356] page:0000000055a51e09 refcount:1 mapcount:0
mapping:0000000000000000 index:0xffff8880075df000 pfn:0x75d8
[ 26.264348] head:0000000055a51e09 order:3 compound_mapcount:0
compound_pincount:0
[ 26.265713] flags: 0x100000000010200(slab|head|node=0|zone=1)
[ 26.266858] raw: 0100000000010200 ffffea0000257600 0000000200000002
ffff88800112cdc0
[ 26.268227] raw: ffff8880075df000 0000000080090006 00000001ffffffff
0000000000000000
[ 26.269902] page dumped because: kasan: bad access detected
[ 26.270960]
[ 26.271272] Memory state around the buggy address:
[ 26.272370] ffff8880075d8d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
fb
[ 26.273911] ffff8880075d8d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
fc
[ 26.275314] >ffff8880075d8e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
fb
[ 26.276673] ^
[ 26.277327] ffff8880075d8e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
fb
[ 26.278712] ffff8880075d8f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
fb
[ 26.280176]
==================================================================
--
You may reply to this email to add a comment.
You are receiving this mail because:
You are watching the assignee of the bug.
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2021-06-25 13:34 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-06-21 15:16 [Bug 213539] New: KASAN: use-after-free Write in ext4_put_super bugzilla-daemon
2021-06-21 15:17 ` [Bug 213539] " bugzilla-daemon
2021-06-25 4:37 ` bugzilla-daemon
2021-06-25 13:13 ` bugzilla-daemon
2021-06-25 13:34 ` bugzilla-daemon
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.