* Re: KASAN: use-after-free Read in iov_iter_alignment
[not found] <000000000000ad9f910598bbb867@google.com>
@ 2019-12-02 21:10 ` Dave Chinner
2019-12-02 23:11 ` Matthew Bobrowski
2019-12-16 10:48 ` Jan Kara
0 siblings, 2 replies; 7+ messages in thread
From: Dave Chinner @ 2019-12-02 21:10 UTC (permalink / raw)
To: syzbot
Cc: darrick.wong, hch, linux-fsdevel, linux-kernel, linux-xfs,
syzkaller-bugs, linux-ext4
[cc linux-ext4@vger.kernel.org - this is reported from the new ext4
dio->iomap code]
On Mon, Dec 02, 2019 at 09:15:08AM -0800, syzbot wrote:
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit: b94ae8ad Merge tag 'seccomp-v5.5-rc1' of git://git.kernel...
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=135a8d7ae00000
> kernel config: https://syzkaller.appspot.com/x/.config?x=c2e464ae414aee8c
> dashboard link: https://syzkaller.appspot.com/bug?extid=bea68382bae9490e7dd6
> compiler: clang version 9.0.0 (/home/glider/llvm/clang
> 80fee25776c2fb61e74c1ecb1a523375c2500b69)
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1135cb36e00000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14e90abce00000
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+bea68382bae9490e7dd6@syzkaller.appspotmail.com
>
> ==================================================================
> BUG: KASAN: use-after-free in iov_iter_alignment+0x6a1/0x7b0
> lib/iov_iter.c:1225
> Read of size 4 at addr ffff888098d40f54 by task loop0/8203
>
> CPU: 0 PID: 8203 Comm: loop0 Not tainted 5.4.0-syzkaller #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 01/01/2011
> Call Trace:
> __dump_stack lib/dump_stack.c:77 [inline]
> dump_stack+0x1fb/0x318 lib/dump_stack.c:118
> print_address_description+0x75/0x5c0 mm/kasan/report.c:374
> __kasan_report+0x14b/0x1c0 mm/kasan/report.c:506
> kasan_report+0x26/0x50 mm/kasan/common.c:634
> __asan_report_load4_noabort+0x14/0x20 mm/kasan/generic_report.c:131
> iov_iter_alignment+0x6a1/0x7b0 lib/iov_iter.c:1225
> iomap_dio_bio_actor+0x1a7/0x11e0 fs/iomap/direct-io.c:203
> iomap_dio_actor+0x2b4/0x4a0 fs/iomap/direct-io.c:375
> iomap_apply+0x370/0x490 fs/iomap/apply.c:80
> iomap_dio_rw+0x8ad/0x1010 fs/iomap/direct-io.c:493
> ext4_dio_read_iter fs/ext4/file.c:77 [inline]
> ext4_file_read_iter+0x834/0xc20 fs/ext4/file.c:128
> lo_rw_aio+0xcbb/0xea0 include/linux/fs.h:1889
loopback -> ext4 direct IO, bad access on iov passed to iomap DIO
code.
> do_req_filebacked drivers/block/loop.c:616 [inline]
> loop_handle_cmd drivers/block/loop.c:1952 [inline]
> loop_queue_work+0x13ab/0x2590 drivers/block/loop.c:1966
> kthread_worker_fn+0x449/0x700 kernel/kthread.c:671
> loop_kthread_worker_fn+0x40/0x60 drivers/block/loop.c:901
> kthread+0x332/0x350 kernel/kthread.c:255
> ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
>
> Allocated by task 4198:
> save_stack mm/kasan/common.c:69 [inline]
> set_track mm/kasan/common.c:77 [inline]
> __kasan_kmalloc+0x11c/0x1b0 mm/kasan/common.c:510
> kasan_slab_alloc+0xf/0x20 mm/kasan/common.c:518
> slab_post_alloc_hook mm/slab.h:584 [inline]
> slab_alloc mm/slab.c:3319 [inline]
> kmem_cache_alloc+0x1f5/0x2e0 mm/slab.c:3483
> mempool_alloc_slab+0x4d/0x70 mm/mempool.c:513
> mempool_alloc+0x104/0x5e0 mm/mempool.c:393
> bio_alloc_bioset+0x1b0/0x5f0 block/bio.c:477
> bio_alloc include/linux/bio.h:400 [inline]
> mpage_alloc fs/mpage.c:79 [inline]
> do_mpage_readpage+0x1685/0x1d10 fs/mpage.c:306
> mpage_readpages+0x2a9/0x440 fs/mpage.c:404
> blkdev_readpages+0x2c/0x40 fs/block_dev.c:620
> read_pages+0xad/0x4d0 mm/readahead.c:126
> __do_page_cache_readahead+0x480/0x530 mm/readahead.c:212
> force_page_cache_readahead mm/readahead.c:243 [inline]
> page_cache_sync_readahead+0x329/0x3b0 mm/readahead.c:522
> generic_file_buffered_read+0x41d/0x2570 mm/filemap.c:2051
> generic_file_read_iter+0xa9/0x450 mm/filemap.c:2324
> blkdev_read_iter+0x12e/0x140 fs/block_dev.c:2039
> call_read_iter include/linux/fs.h:1889 [inline]
> new_sync_read fs/read_write.c:414 [inline]
> __vfs_read+0x59e/0x730 fs/read_write.c:427
> vfs_read+0x1dd/0x420 fs/read_write.c:461
> ksys_read+0x117/0x220 fs/read_write.c:587
> __do_sys_read fs/read_write.c:597 [inline]
> __se_sys_read fs/read_write.c:595 [inline]
> __x64_sys_read+0x7b/0x90 fs/read_write.c:595
> do_syscall_64+0xf7/0x1c0 arch/x86/entry/common.c:294
> entry_SYSCALL_64_after_hwframe+0x49/0xbe
>
> Freed by task 4205:
> save_stack mm/kasan/common.c:69 [inline]
> set_track mm/kasan/common.c:77 [inline]
> kasan_set_free_info mm/kasan/common.c:332 [inline]
> __kasan_slab_free+0x12a/0x1e0 mm/kasan/common.c:471
> kasan_slab_free+0xe/0x10 mm/kasan/common.c:480
> __cache_free mm/slab.c:3425 [inline]
> kmem_cache_free+0x81/0xf0 mm/slab.c:3693
> mempool_free_slab+0x1d/0x30 mm/mempool.c:520
> mempool_free+0xd5/0x350 mm/mempool.c:502
> bio_put+0x38b/0x460 block/bio.c:255
> mpage_end_io+0x2f5/0x330 fs/mpage.c:58
> bio_endio+0x4ff/0x570 block/bio.c:1818
> req_bio_endio block/blk-core.c:245 [inline]
> blk_update_request+0x438/0x10d0 block/blk-core.c:1464
> scsi_end_request+0x8c/0xa20 drivers/scsi/scsi_lib.c:579
> scsi_io_completion+0x17c/0x1b80 drivers/scsi/scsi_lib.c:963
> scsi_finish_command+0x3b3/0x560 drivers/scsi/scsi.c:228
> scsi_softirq_done+0x289/0x310 drivers/scsi/scsi_lib.c:1477
> blk_done_softirq+0x312/0x370 block/blk-softirq.c:37
> __do_softirq+0x333/0x7c4 arch/x86/include/asm/paravirt.h:762
Looks like buffered read IO on a loopback device on an ext4 image
file, and something is being tripped over in the new ext4 direct IO
path. Might be an iomap issue, might be an ext4 issue, but it looks
like the buffered read bio completion is running while the iov is
still being submitted...
Cheers,
Dave.
--
Dave Chinner
david@fromorbit.com
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: KASAN: use-after-free Read in iov_iter_alignment
2019-12-02 21:10 ` KASAN: use-after-free Read in iov_iter_alignment Dave Chinner
@ 2019-12-02 23:11 ` Matthew Bobrowski
2019-12-13 11:30 ` Jan Kara
2019-12-16 10:48 ` Jan Kara
1 sibling, 1 reply; 7+ messages in thread
From: Matthew Bobrowski @ 2019-12-02 23:11 UTC (permalink / raw)
To: Dave Chinner
Cc: syzbot, darrick.wong, hch, linux-fsdevel, linux-kernel,
linux-xfs, syzkaller-bugs, linux-ext4
On Tue, Dec 03, 2019 at 08:10:37AM +1100, Dave Chinner wrote:
> [cc linux-ext4@vger.kernel.org - this is reported from the new ext4
> dio->iomap code]
>
> On Mon, Dec 02, 2019 at 09:15:08AM -0800, syzbot wrote:
> > Hello,
> >
> > syzbot found the following crash on:
> >
> > HEAD commit: b94ae8ad Merge tag 'seccomp-v5.5-rc1' of git://git.kernel...
> > git tree: upstream
> > console output: https://syzkaller.appspot.com/x/log.txt?x=135a8d7ae00000
> > kernel config: https://syzkaller.appspot.com/x/.config?x=c2e464ae414aee8c
> > dashboard link: https://syzkaller.appspot.com/bug?extid=bea68382bae9490e7dd6
> > compiler: clang version 9.0.0 (/home/glider/llvm/clang
> > 80fee25776c2fb61e74c1ecb1a523375c2500b69)
> > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1135cb36e00000
> > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14e90abce00000
> >
> > IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > Reported-by: syzbot+bea68382bae9490e7dd6@syzkaller.appspotmail.com
> >
> > ==================================================================
> > BUG: KASAN: use-after-free in iov_iter_alignment+0x6a1/0x7b0
> > lib/iov_iter.c:1225
> > Read of size 4 at addr ffff888098d40f54 by task loop0/8203
> >
> > CPU: 0 PID: 8203 Comm: loop0 Not tainted 5.4.0-syzkaller #0
> > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> > Google 01/01/2011
> > Call Trace:
> > __dump_stack lib/dump_stack.c:77 [inline]
> > dump_stack+0x1fb/0x318 lib/dump_stack.c:118
> > print_address_description+0x75/0x5c0 mm/kasan/report.c:374
> > __kasan_report+0x14b/0x1c0 mm/kasan/report.c:506
> > kasan_report+0x26/0x50 mm/kasan/common.c:634
> > __asan_report_load4_noabort+0x14/0x20 mm/kasan/generic_report.c:131
> > iov_iter_alignment+0x6a1/0x7b0 lib/iov_iter.c:1225
> > iomap_dio_bio_actor+0x1a7/0x11e0 fs/iomap/direct-io.c:203
> > iomap_dio_actor+0x2b4/0x4a0 fs/iomap/direct-io.c:375
> > iomap_apply+0x370/0x490 fs/iomap/apply.c:80
> > iomap_dio_rw+0x8ad/0x1010 fs/iomap/direct-io.c:493
> > ext4_dio_read_iter fs/ext4/file.c:77 [inline]
> > ext4_file_read_iter+0x834/0xc20 fs/ext4/file.c:128
> > lo_rw_aio+0xcbb/0xea0 include/linux/fs.h:1889
>
> loopback -> ext4 direct IO, bad access on iov passed to iomap DIO
> code.
>
> > do_req_filebacked drivers/block/loop.c:616 [inline]
> > loop_handle_cmd drivers/block/loop.c:1952 [inline]
> > loop_queue_work+0x13ab/0x2590 drivers/block/loop.c:1966
> > kthread_worker_fn+0x449/0x700 kernel/kthread.c:671
> > loop_kthread_worker_fn+0x40/0x60 drivers/block/loop.c:901
> > kthread+0x332/0x350 kernel/kthread.c:255
> > ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
> >
> > Allocated by task 4198:
> > save_stack mm/kasan/common.c:69 [inline]
> > set_track mm/kasan/common.c:77 [inline]
> > __kasan_kmalloc+0x11c/0x1b0 mm/kasan/common.c:510
> > kasan_slab_alloc+0xf/0x20 mm/kasan/common.c:518
> > slab_post_alloc_hook mm/slab.h:584 [inline]
> > slab_alloc mm/slab.c:3319 [inline]
> > kmem_cache_alloc+0x1f5/0x2e0 mm/slab.c:3483
> > mempool_alloc_slab+0x4d/0x70 mm/mempool.c:513
> > mempool_alloc+0x104/0x5e0 mm/mempool.c:393
> > bio_alloc_bioset+0x1b0/0x5f0 block/bio.c:477
> > bio_alloc include/linux/bio.h:400 [inline]
> > mpage_alloc fs/mpage.c:79 [inline]
> > do_mpage_readpage+0x1685/0x1d10 fs/mpage.c:306
> > mpage_readpages+0x2a9/0x440 fs/mpage.c:404
> > blkdev_readpages+0x2c/0x40 fs/block_dev.c:620
> > read_pages+0xad/0x4d0 mm/readahead.c:126
> > __do_page_cache_readahead+0x480/0x530 mm/readahead.c:212
> > force_page_cache_readahead mm/readahead.c:243 [inline]
> > page_cache_sync_readahead+0x329/0x3b0 mm/readahead.c:522
> > generic_file_buffered_read+0x41d/0x2570 mm/filemap.c:2051
> > generic_file_read_iter+0xa9/0x450 mm/filemap.c:2324
> > blkdev_read_iter+0x12e/0x140 fs/block_dev.c:2039
> > call_read_iter include/linux/fs.h:1889 [inline]
> > new_sync_read fs/read_write.c:414 [inline]
> > __vfs_read+0x59e/0x730 fs/read_write.c:427
> > vfs_read+0x1dd/0x420 fs/read_write.c:461
> > ksys_read+0x117/0x220 fs/read_write.c:587
> > __do_sys_read fs/read_write.c:597 [inline]
> > __se_sys_read fs/read_write.c:595 [inline]
> > __x64_sys_read+0x7b/0x90 fs/read_write.c:595
> > do_syscall_64+0xf7/0x1c0 arch/x86/entry/common.c:294
> > entry_SYSCALL_64_after_hwframe+0x49/0xbe
> >
> > Freed by task 4205:
> > save_stack mm/kasan/common.c:69 [inline]
> > set_track mm/kasan/common.c:77 [inline]
> > kasan_set_free_info mm/kasan/common.c:332 [inline]
> > __kasan_slab_free+0x12a/0x1e0 mm/kasan/common.c:471
> > kasan_slab_free+0xe/0x10 mm/kasan/common.c:480
> > __cache_free mm/slab.c:3425 [inline]
> > kmem_cache_free+0x81/0xf0 mm/slab.c:3693
> > mempool_free_slab+0x1d/0x30 mm/mempool.c:520
> > mempool_free+0xd5/0x350 mm/mempool.c:502
> > bio_put+0x38b/0x460 block/bio.c:255
> > mpage_end_io+0x2f5/0x330 fs/mpage.c:58
> > bio_endio+0x4ff/0x570 block/bio.c:1818
> > req_bio_endio block/blk-core.c:245 [inline]
> > blk_update_request+0x438/0x10d0 block/blk-core.c:1464
> > scsi_end_request+0x8c/0xa20 drivers/scsi/scsi_lib.c:579
> > scsi_io_completion+0x17c/0x1b80 drivers/scsi/scsi_lib.c:963
> > scsi_finish_command+0x3b3/0x560 drivers/scsi/scsi.c:228
> > scsi_softirq_done+0x289/0x310 drivers/scsi/scsi_lib.c:1477
> > blk_done_softirq+0x312/0x370 block/blk-softirq.c:37
> > __do_softirq+0x333/0x7c4 arch/x86/include/asm/paravirt.h:762
>
> Looks like buffered read IO on a loopback device on an ext4 image
> file, and something is being tripped over in the new ext4 direct IO
> path. Might be an iomap issue, might be an ext4 issue, but it looks
> like the buffered read bio completion is running while the iov is
> still being submitted...
Thanks Dave.
I will take a look at this when I get home this evening and see
whether I can pinpoint what's going on here...
/M
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: KASAN: use-after-free Read in iov_iter_alignment
2019-12-02 23:11 ` Matthew Bobrowski
@ 2019-12-13 11:30 ` Jan Kara
2019-12-15 10:24 ` Matthew Bobrowski
0 siblings, 1 reply; 7+ messages in thread
From: Jan Kara @ 2019-12-13 11:30 UTC (permalink / raw)
To: Matthew Bobrowski
Cc: Dave Chinner, syzbot, darrick.wong, hch, linux-fsdevel,
linux-kernel, linux-xfs, syzkaller-bugs, linux-ext4
On Tue 03-12-19 10:11:20, Matthew Bobrowski wrote:
> On Tue, Dec 03, 2019 at 08:10:37AM +1100, Dave Chinner wrote:
> > [cc linux-ext4@vger.kernel.org - this is reported from the new ext4
> > dio->iomap code]
> >
> > On Mon, Dec 02, 2019 at 09:15:08AM -0800, syzbot wrote:
> > > Hello,
> > >
> > > syzbot found the following crash on:
> > >
> > > HEAD commit: b94ae8ad Merge tag 'seccomp-v5.5-rc1' of git://git.kernel...
> > > git tree: upstream
> > > console output: https://syzkaller.appspot.com/x/log.txt?x=135a8d7ae00000
> > > kernel config: https://syzkaller.appspot.com/x/.config?x=c2e464ae414aee8c
> > > dashboard link: https://syzkaller.appspot.com/bug?extid=bea68382bae9490e7dd6
> > > compiler: clang version 9.0.0 (/home/glider/llvm/clang
> > > 80fee25776c2fb61e74c1ecb1a523375c2500b69)
> > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1135cb36e00000
> > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14e90abce00000
> > >
> > > IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > > Reported-by: syzbot+bea68382bae9490e7dd6@syzkaller.appspotmail.com
> > >
> > > ==================================================================
> > > BUG: KASAN: use-after-free in iov_iter_alignment+0x6a1/0x7b0
> > > lib/iov_iter.c:1225
> > > Read of size 4 at addr ffff888098d40f54 by task loop0/8203
> > >
> > > CPU: 0 PID: 8203 Comm: loop0 Not tainted 5.4.0-syzkaller #0
> > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> > > Google 01/01/2011
> > > Call Trace:
> > > __dump_stack lib/dump_stack.c:77 [inline]
> > > dump_stack+0x1fb/0x318 lib/dump_stack.c:118
> > > print_address_description+0x75/0x5c0 mm/kasan/report.c:374
> > > __kasan_report+0x14b/0x1c0 mm/kasan/report.c:506
> > > kasan_report+0x26/0x50 mm/kasan/common.c:634
> > > __asan_report_load4_noabort+0x14/0x20 mm/kasan/generic_report.c:131
> > > iov_iter_alignment+0x6a1/0x7b0 lib/iov_iter.c:1225
> > > iomap_dio_bio_actor+0x1a7/0x11e0 fs/iomap/direct-io.c:203
> > > iomap_dio_actor+0x2b4/0x4a0 fs/iomap/direct-io.c:375
> > > iomap_apply+0x370/0x490 fs/iomap/apply.c:80
> > > iomap_dio_rw+0x8ad/0x1010 fs/iomap/direct-io.c:493
> > > ext4_dio_read_iter fs/ext4/file.c:77 [inline]
> > > ext4_file_read_iter+0x834/0xc20 fs/ext4/file.c:128
> > > lo_rw_aio+0xcbb/0xea0 include/linux/fs.h:1889
> >
> > loopback -> ext4 direct IO, bad access on iov passed to iomap DIO
> > code.
> >
> > > do_req_filebacked drivers/block/loop.c:616 [inline]
> > > loop_handle_cmd drivers/block/loop.c:1952 [inline]
> > > loop_queue_work+0x13ab/0x2590 drivers/block/loop.c:1966
> > > kthread_worker_fn+0x449/0x700 kernel/kthread.c:671
> > > loop_kthread_worker_fn+0x40/0x60 drivers/block/loop.c:901
> > > kthread+0x332/0x350 kernel/kthread.c:255
> > > ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
> > >
> > > Allocated by task 4198:
> > > save_stack mm/kasan/common.c:69 [inline]
> > > set_track mm/kasan/common.c:77 [inline]
> > > __kasan_kmalloc+0x11c/0x1b0 mm/kasan/common.c:510
> > > kasan_slab_alloc+0xf/0x20 mm/kasan/common.c:518
> > > slab_post_alloc_hook mm/slab.h:584 [inline]
> > > slab_alloc mm/slab.c:3319 [inline]
> > > kmem_cache_alloc+0x1f5/0x2e0 mm/slab.c:3483
> > > mempool_alloc_slab+0x4d/0x70 mm/mempool.c:513
> > > mempool_alloc+0x104/0x5e0 mm/mempool.c:393
> > > bio_alloc_bioset+0x1b0/0x5f0 block/bio.c:477
> > > bio_alloc include/linux/bio.h:400 [inline]
> > > mpage_alloc fs/mpage.c:79 [inline]
> > > do_mpage_readpage+0x1685/0x1d10 fs/mpage.c:306
> > > mpage_readpages+0x2a9/0x440 fs/mpage.c:404
> > > blkdev_readpages+0x2c/0x40 fs/block_dev.c:620
> > > read_pages+0xad/0x4d0 mm/readahead.c:126
> > > __do_page_cache_readahead+0x480/0x530 mm/readahead.c:212
> > > force_page_cache_readahead mm/readahead.c:243 [inline]
> > > page_cache_sync_readahead+0x329/0x3b0 mm/readahead.c:522
> > > generic_file_buffered_read+0x41d/0x2570 mm/filemap.c:2051
> > > generic_file_read_iter+0xa9/0x450 mm/filemap.c:2324
> > > blkdev_read_iter+0x12e/0x140 fs/block_dev.c:2039
> > > call_read_iter include/linux/fs.h:1889 [inline]
> > > new_sync_read fs/read_write.c:414 [inline]
> > > __vfs_read+0x59e/0x730 fs/read_write.c:427
> > > vfs_read+0x1dd/0x420 fs/read_write.c:461
> > > ksys_read+0x117/0x220 fs/read_write.c:587
> > > __do_sys_read fs/read_write.c:597 [inline]
> > > __se_sys_read fs/read_write.c:595 [inline]
> > > __x64_sys_read+0x7b/0x90 fs/read_write.c:595
> > > do_syscall_64+0xf7/0x1c0 arch/x86/entry/common.c:294
> > > entry_SYSCALL_64_after_hwframe+0x49/0xbe
> > >
> > > Freed by task 4205:
> > > save_stack mm/kasan/common.c:69 [inline]
> > > set_track mm/kasan/common.c:77 [inline]
> > > kasan_set_free_info mm/kasan/common.c:332 [inline]
> > > __kasan_slab_free+0x12a/0x1e0 mm/kasan/common.c:471
> > > kasan_slab_free+0xe/0x10 mm/kasan/common.c:480
> > > __cache_free mm/slab.c:3425 [inline]
> > > kmem_cache_free+0x81/0xf0 mm/slab.c:3693
> > > mempool_free_slab+0x1d/0x30 mm/mempool.c:520
> > > mempool_free+0xd5/0x350 mm/mempool.c:502
> > > bio_put+0x38b/0x460 block/bio.c:255
> > > mpage_end_io+0x2f5/0x330 fs/mpage.c:58
> > > bio_endio+0x4ff/0x570 block/bio.c:1818
> > > req_bio_endio block/blk-core.c:245 [inline]
> > > blk_update_request+0x438/0x10d0 block/blk-core.c:1464
> > > scsi_end_request+0x8c/0xa20 drivers/scsi/scsi_lib.c:579
> > > scsi_io_completion+0x17c/0x1b80 drivers/scsi/scsi_lib.c:963
> > > scsi_finish_command+0x3b3/0x560 drivers/scsi/scsi.c:228
> > > scsi_softirq_done+0x289/0x310 drivers/scsi/scsi_lib.c:1477
> > > blk_done_softirq+0x312/0x370 block/blk-softirq.c:37
> > > __do_softirq+0x333/0x7c4 arch/x86/include/asm/paravirt.h:762
> >
> > Looks like buffered read IO on a loopback device on an ext4 image
> > file, and something is being tripped over in the new ext4 direct IO
> > path. Might be an iomap issue, might be an ext4 issue, but it looks
> > like the buffered read bio completion is running while the iov is
> > still being submitted...
>
> Thanks Dave.
>
> I will take a look at this when I get home this evening and see
> whether I can pinpoint what's going on here...
Any luck in diagnosing this Matthew?
Honza
--
Jan Kara <jack@suse.com>
SUSE Labs, CR
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: KASAN: use-after-free Read in iov_iter_alignment
2019-12-13 11:30 ` Jan Kara
@ 2019-12-15 10:24 ` Matthew Bobrowski
2019-12-16 10:32 ` Jan Kara
0 siblings, 1 reply; 7+ messages in thread
From: Matthew Bobrowski @ 2019-12-15 10:24 UTC (permalink / raw)
To: Jan Kara
Cc: Dave Chinner, syzbot, darrick.wong, hch, linux-fsdevel,
linux-kernel, linux-xfs, syzkaller-bugs, linux-ext4
On Fri, Dec 13, 2019 at 12:30:30PM +0100, Jan Kara wrote:
> On Tue 03-12-19 10:11:20, Matthew Bobrowski wrote:
> > On Tue, Dec 03, 2019 at 08:10:37AM +1100, Dave Chinner wrote:
> > > [cc linux-ext4@vger.kernel.org - this is reported from the new ext4
> > > dio->iomap code]
> > >
> > > On Mon, Dec 02, 2019 at 09:15:08AM -0800, syzbot wrote:
> > > > Hello,
> > > >
> > > > syzbot found the following crash on:
> > > >
> > > > HEAD commit: b94ae8ad Merge tag 'seccomp-v5.5-rc1' of git://git.kernel...
> > > > git tree: upstream
> > > > console output: https://syzkaller.appspot.com/x/log.txt?x=135a8d7ae00000
> > > > kernel config: https://syzkaller.appspot.com/x/.config?x=c2e464ae414aee8c
> > > > dashboard link: https://syzkaller.appspot.com/bug?extid=bea68382bae9490e7dd6
> > > > compiler: clang version 9.0.0 (/home/glider/llvm/clang
> > > > 80fee25776c2fb61e74c1ecb1a523375c2500b69)
> > > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1135cb36e00000
> > > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14e90abce00000
> > > >
> > > > IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > > > Reported-by: syzbot+bea68382bae9490e7dd6@syzkaller.appspotmail.com
> > > >
> > > > ==================================================================
> > > > BUG: KASAN: use-after-free in iov_iter_alignment+0x6a1/0x7b0
> > > > lib/iov_iter.c:1225
> > > > Read of size 4 at addr ffff888098d40f54 by task loop0/8203
> > > >
> > > > CPU: 0 PID: 8203 Comm: loop0 Not tainted 5.4.0-syzkaller #0
> > > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> > > > Google 01/01/2011
> > > > Call Trace:
> > > > __dump_stack lib/dump_stack.c:77 [inline]
> > > > dump_stack+0x1fb/0x318 lib/dump_stack.c:118
> > > > print_address_description+0x75/0x5c0 mm/kasan/report.c:374
> > > > __kasan_report+0x14b/0x1c0 mm/kasan/report.c:506
> > > > kasan_report+0x26/0x50 mm/kasan/common.c:634
> > > > __asan_report_load4_noabort+0x14/0x20 mm/kasan/generic_report.c:131
> > > > iov_iter_alignment+0x6a1/0x7b0 lib/iov_iter.c:1225
> > > > iomap_dio_bio_actor+0x1a7/0x11e0 fs/iomap/direct-io.c:203
> > > > iomap_dio_actor+0x2b4/0x4a0 fs/iomap/direct-io.c:375
> > > > iomap_apply+0x370/0x490 fs/iomap/apply.c:80
> > > > iomap_dio_rw+0x8ad/0x1010 fs/iomap/direct-io.c:493
> > > > ext4_dio_read_iter fs/ext4/file.c:77 [inline]
> > > > ext4_file_read_iter+0x834/0xc20 fs/ext4/file.c:128
> > > > lo_rw_aio+0xcbb/0xea0 include/linux/fs.h:1889
> > >
> > > loopback -> ext4 direct IO, bad access on iov passed to iomap DIO
> > > code.
> > >
> > > > do_req_filebacked drivers/block/loop.c:616 [inline]
> > > > loop_handle_cmd drivers/block/loop.c:1952 [inline]
> > > > loop_queue_work+0x13ab/0x2590 drivers/block/loop.c:1966
> > > > kthread_worker_fn+0x449/0x700 kernel/kthread.c:671
> > > > loop_kthread_worker_fn+0x40/0x60 drivers/block/loop.c:901
> > > > kthread+0x332/0x350 kernel/kthread.c:255
> > > > ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
> > > >
> > > > Allocated by task 4198:
> > > > save_stack mm/kasan/common.c:69 [inline]
> > > > set_track mm/kasan/common.c:77 [inline]
> > > > __kasan_kmalloc+0x11c/0x1b0 mm/kasan/common.c:510
> > > > kasan_slab_alloc+0xf/0x20 mm/kasan/common.c:518
> > > > slab_post_alloc_hook mm/slab.h:584 [inline]
> > > > slab_alloc mm/slab.c:3319 [inline]
> > > > kmem_cache_alloc+0x1f5/0x2e0 mm/slab.c:3483
> > > > mempool_alloc_slab+0x4d/0x70 mm/mempool.c:513
> > > > mempool_alloc+0x104/0x5e0 mm/mempool.c:393
> > > > bio_alloc_bioset+0x1b0/0x5f0 block/bio.c:477
> > > > bio_alloc include/linux/bio.h:400 [inline]
> > > > mpage_alloc fs/mpage.c:79 [inline]
> > > > do_mpage_readpage+0x1685/0x1d10 fs/mpage.c:306
> > > > mpage_readpages+0x2a9/0x440 fs/mpage.c:404
> > > > blkdev_readpages+0x2c/0x40 fs/block_dev.c:620
> > > > read_pages+0xad/0x4d0 mm/readahead.c:126
> > > > __do_page_cache_readahead+0x480/0x530 mm/readahead.c:212
> > > > force_page_cache_readahead mm/readahead.c:243 [inline]
> > > > page_cache_sync_readahead+0x329/0x3b0 mm/readahead.c:522
> > > > generic_file_buffered_read+0x41d/0x2570 mm/filemap.c:2051
> > > > generic_file_read_iter+0xa9/0x450 mm/filemap.c:2324
> > > > blkdev_read_iter+0x12e/0x140 fs/block_dev.c:2039
> > > > call_read_iter include/linux/fs.h:1889 [inline]
> > > > new_sync_read fs/read_write.c:414 [inline]
> > > > __vfs_read+0x59e/0x730 fs/read_write.c:427
> > > > vfs_read+0x1dd/0x420 fs/read_write.c:461
> > > > ksys_read+0x117/0x220 fs/read_write.c:587
> > > > __do_sys_read fs/read_write.c:597 [inline]
> > > > __se_sys_read fs/read_write.c:595 [inline]
> > > > __x64_sys_read+0x7b/0x90 fs/read_write.c:595
> > > > do_syscall_64+0xf7/0x1c0 arch/x86/entry/common.c:294
> > > > entry_SYSCALL_64_after_hwframe+0x49/0xbe
> > > >
> > > > Freed by task 4205:
> > > > save_stack mm/kasan/common.c:69 [inline]
> > > > set_track mm/kasan/common.c:77 [inline]
> > > > kasan_set_free_info mm/kasan/common.c:332 [inline]
> > > > __kasan_slab_free+0x12a/0x1e0 mm/kasan/common.c:471
> > > > kasan_slab_free+0xe/0x10 mm/kasan/common.c:480
> > > > __cache_free mm/slab.c:3425 [inline]
> > > > kmem_cache_free+0x81/0xf0 mm/slab.c:3693
> > > > mempool_free_slab+0x1d/0x30 mm/mempool.c:520
> > > > mempool_free+0xd5/0x350 mm/mempool.c:502
> > > > bio_put+0x38b/0x460 block/bio.c:255
> > > > mpage_end_io+0x2f5/0x330 fs/mpage.c:58
> > > > bio_endio+0x4ff/0x570 block/bio.c:1818
> > > > req_bio_endio block/blk-core.c:245 [inline]
> > > > blk_update_request+0x438/0x10d0 block/blk-core.c:1464
> > > > scsi_end_request+0x8c/0xa20 drivers/scsi/scsi_lib.c:579
> > > > scsi_io_completion+0x17c/0x1b80 drivers/scsi/scsi_lib.c:963
> > > > scsi_finish_command+0x3b3/0x560 drivers/scsi/scsi.c:228
> > > > scsi_softirq_done+0x289/0x310 drivers/scsi/scsi_lib.c:1477
> > > > blk_done_softirq+0x312/0x370 block/blk-softirq.c:37
> > > > __do_softirq+0x333/0x7c4 arch/x86/include/asm/paravirt.h:762
> > >
> > > Looks like buffered read IO on a loopback device on an ext4 image
> > > file, and something is being tripped over in the new ext4 direct IO
> > > path. Might be an iomap issue, might be an ext4 issue, but it looks
> > > like the buffered read bio completion is running while the iov is
> > > still being submitted...
> >
> > Thanks Dave.
> >
> > I will take a look at this when I get home this evening and see
> > whether I can pinpoint what's going on here...
>
> Any luck in diagnosing this Matthew?
No, not yet. I just purchased my first home and I'm not far out from
my wedding day, so I've had my hands tied behind by back doing all
that crap. I will try get to it sometime this week.
/M
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: KASAN: use-after-free Read in iov_iter_alignment
2019-12-15 10:24 ` Matthew Bobrowski
@ 2019-12-16 10:32 ` Jan Kara
0 siblings, 0 replies; 7+ messages in thread
From: Jan Kara @ 2019-12-16 10:32 UTC (permalink / raw)
To: Matthew Bobrowski
Cc: Jan Kara, Dave Chinner, syzbot, darrick.wong, hch, linux-fsdevel,
linux-kernel, linux-xfs, syzkaller-bugs, linux-ext4
On Sun 15-12-19 21:24:24, Matthew Bobrowski wrote:
> On Fri, Dec 13, 2019 at 12:30:30PM +0100, Jan Kara wrote:
> > On Tue 03-12-19 10:11:20, Matthew Bobrowski wrote:
> > > On Tue, Dec 03, 2019 at 08:10:37AM +1100, Dave Chinner wrote:
> > > > [cc linux-ext4@vger.kernel.org - this is reported from the new ext4
> > > > dio->iomap code]
> > > >
> > > > On Mon, Dec 02, 2019 at 09:15:08AM -0800, syzbot wrote:
> > > > > Hello,
> > > > >
> > > > > syzbot found the following crash on:
> > > > >
> > > > > HEAD commit: b94ae8ad Merge tag 'seccomp-v5.5-rc1' of git://git.kernel...
> > > > > git tree: upstream
> > > > > console output: https://syzkaller.appspot.com/x/log.txt?x=135a8d7ae00000
> > > > > kernel config: https://syzkaller.appspot.com/x/.config?x=c2e464ae414aee8c
> > > > > dashboard link: https://syzkaller.appspot.com/bug?extid=bea68382bae9490e7dd6
> > > > > compiler: clang version 9.0.0 (/home/glider/llvm/clang
> > > > > 80fee25776c2fb61e74c1ecb1a523375c2500b69)
> > > > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1135cb36e0000
> > > > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14e90abce00000
> > > > >
> > > > > IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > > > > Reported-by: syzbot+bea68382bae9490e7dd6@syzkaller.appspotmail.com
> > > > >
> > > > > ==================================================================
> > > > > BUG: KASAN: use-after-free in iov_iter_alignment+0x6a1/0x7b0
> > > > > lib/iov_iter.c:1225
> > > > > Read of size 4 at addr ffff888098d40f54 by task loop0/8203
> > > > >
> > > > > CPU: 0 PID: 8203 Comm: loop0 Not tainted 5.4.0-syzkaller #0
> > > > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> > > > > Google 01/01/2011
> > > > > Call Trace:
> > > > > __dump_stack lib/dump_stack.c:77 [inline]
> > > > > dump_stack+0x1fb/0x318 lib/dump_stack.c:118
> > > > > print_address_description+0x75/0x5c0 mm/kasan/report.c:374
> > > > > __kasan_report+0x14b/0x1c0 mm/kasan/report.c:506
> > > > > kasan_report+0x26/0x50 mm/kasan/common.c:634
> > > > > __asan_report_load4_noabort+0x14/0x20 mm/kasan/generic_report.c:131
> > > > > iov_iter_alignment+0x6a1/0x7b0 lib/iov_iter.c:1225
> > > > > iomap_dio_bio_actor+0x1a7/0x11e0 fs/iomap/direct-io.c:203
> > > > > iomap_dio_actor+0x2b4/0x4a0 fs/iomap/direct-io.c:375
> > > > > iomap_apply+0x370/0x490 fs/iomap/apply.c:80
> > > > > iomap_dio_rw+0x8ad/0x1010 fs/iomap/direct-io.c:493
> > > > > ext4_dio_read_iter fs/ext4/file.c:77 [inline]
> > > > > ext4_file_read_iter+0x834/0xc20 fs/ext4/file.c:128
> > > > > lo_rw_aio+0xcbb/0xea0 include/linux/fs.h:1889
> > > >
> > > > loopback -> ext4 direct IO, bad access on iov passed to iomap DIO
> > > > code.
> > > >
> > > > > do_req_filebacked drivers/block/loop.c:616 [inline]
> > > > > loop_handle_cmd drivers/block/loop.c:1952 [inline]
> > > > > loop_queue_work+0x13ab/0x2590 drivers/block/loop.c:1966
> > > > > kthread_worker_fn+0x449/0x700 kernel/kthread.c:671
> > > > > loop_kthread_worker_fn+0x40/0x60 drivers/block/loop.c:901
> > > > > kthread+0x332/0x350 kernel/kthread.c:255
> > > > > ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
> > > > >
> > > > > Allocated by task 4198:
> > > > > save_stack mm/kasan/common.c:69 [inline]
> > > > > set_track mm/kasan/common.c:77 [inline]
> > > > > __kasan_kmalloc+0x11c/0x1b0 mm/kasan/common.c:510
> > > > > kasan_slab_alloc+0xf/0x20 mm/kasan/common.c:518
> > > > > slab_post_alloc_hook mm/slab.h:584 [inline]
> > > > > slab_alloc mm/slab.c:3319 [inline]
> > > > > kmem_cache_alloc+0x1f5/0x2e0 mm/slab.c:3483
> > > > > mempool_alloc_slab+0x4d/0x70 mm/mempool.c:513
> > > > > mempool_alloc+0x104/0x5e0 mm/mempool.c:393
> > > > > bio_alloc_bioset+0x1b0/0x5f0 block/bio.c:477
> > > > > bio_alloc include/linux/bio.h:400 [inline]
> > > > > mpage_alloc fs/mpage.c:79 [inline]
> > > > > do_mpage_readpage+0x1685/0x1d10 fs/mpage.c:306
> > > > > mpage_readpages+0x2a9/0x440 fs/mpage.c:404
> > > > > blkdev_readpages+0x2c/0x40 fs/block_dev.c:620
> > > > > read_pages+0xad/0x4d0 mm/readahead.c:126
> > > > > __do_page_cache_readahead+0x480/0x530 mm/readahead.c:212
> > > > > force_page_cache_readahead mm/readahead.c:243 [inline]
> > > > > page_cache_sync_readahead+0x329/0x3b0 mm/readahead.c:522
> > > > > generic_file_buffered_read+0x41d/0x2570 mm/filemap.c:2051
> > > > > generic_file_read_iter+0xa9/0x450 mm/filemap.c:2324
> > > > > blkdev_read_iter+0x12e/0x140 fs/block_dev.c:2039
> > > > > call_read_iter include/linux/fs.h:1889 [inline]
> > > > > new_sync_read fs/read_write.c:414 [inline]
> > > > > __vfs_read+0x59e/0x730 fs/read_write.c:427
> > > > > vfs_read+0x1dd/0x420 fs/read_write.c:461
> > > > > ksys_read+0x117/0x220 fs/read_write.c:587
> > > > > __do_sys_read fs/read_write.c:597 [inline]
> > > > > __se_sys_read fs/read_write.c:595 [inline]
> > > > > __x64_sys_read+0x7b/0x90 fs/read_write.c:595
> > > > > do_syscall_64+0xf7/0x1c0 arch/x86/entry/common.c:294
> > > > > entry_SYSCALL_64_after_hwframe+0x49/0xbe
> > > > >
> > > > > Freed by task 4205:
> > > > > save_stack mm/kasan/common.c:69 [inline]
> > > > > set_track mm/kasan/common.c:77 [inline]
> > > > > kasan_set_free_info mm/kasan/common.c:332 [inline]
> > > > > __kasan_slab_free+0x12a/0x1e0 mm/kasan/common.c:471
> > > > > kasan_slab_free+0xe/0x10 mm/kasan/common.c:480
> > > > > __cache_free mm/slab.c:3425 [inline]
> > > > > kmem_cache_free+0x81/0xf0 mm/slab.c:3693
> > > > > mempool_free_slab+0x1d/0x30 mm/mempool.c:520
> > > > > mempool_free+0xd5/0x350 mm/mempool.c:502
> > > > > bio_put+0x38b/0x460 block/bio.c:255
> > > > > mpage_end_io+0x2f5/0x330 fs/mpage.c:58
> > > > > bio_endio+0x4ff/0x570 block/bio.c:1818
> > > > > req_bio_endio block/blk-core.c:245 [inline]
> > > > > blk_update_request+0x438/0x10d0 block/blk-core.c:1464
> > > > > scsi_end_request+0x8c/0xa20 drivers/scsi/scsi_lib.c:579
> > > > > scsi_io_completion+0x17c/0x1b80 drivers/scsi/scsi_lib.c:963
> > > > > scsi_finish_command+0x3b3/0x560 drivers/scsi/scsi.c:228
> > > > > scsi_softirq_done+0x289/0x310 drivers/scsi/scsi_lib.c:1477
> > > > > blk_done_softirq+0x312/0x370 block/blk-softirq.c:37
> > > > > __do_softirq+0x333/0x7c4 arch/x86/include/asm/paravirt.h:762
> > > >
> > > > Looks like buffered read IO on a loopback device on an ext4 image
> > > > file, and something is being tripped over in the new ext4 direct IO
> > > > path. Might be an iomap issue, might be an ext4 issue, but it looks
> > > > like the buffered read bio completion is running while the iov is
> > > > still being submitted...
> > >
> > > Thanks Dave.
> > >
> > > I will take a look at this when I get home this evening and see
> > > whether I can pinpoint what's going on here...
> >
> > Any luck in diagnosing this Matthew?
>
> No, not yet. I just purchased my first home and I'm not far out from
> my wedding day, so I've had my hands tied behind by back doing all
> that crap. I will try get to it sometime this week.
Sure, no problem, I'll try to find some time to look into this as well.
Congratulations to your marriage BTW :)
Honza
--
Jan Kara <jack@suse.com>
SUSE Labs, CR
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: KASAN: use-after-free Read in iov_iter_alignment
2019-12-02 21:10 ` KASAN: use-after-free Read in iov_iter_alignment Dave Chinner
2019-12-02 23:11 ` Matthew Bobrowski
@ 2019-12-16 10:48 ` Jan Kara
2019-12-16 10:58 ` Jan Kara
1 sibling, 1 reply; 7+ messages in thread
From: Jan Kara @ 2019-12-16 10:48 UTC (permalink / raw)
To: Dave Chinner
Cc: syzbot, darrick.wong, hch, linux-fsdevel, linux-kernel,
linux-xfs, syzkaller-bugs, linux-ext4, David Howells
On Tue 03-12-19 08:10:37, Dave Chinner wrote:
> [cc linux-ext4@vger.kernel.org - this is reported from the new ext4
> dio->iomap code]
>
> On Mon, Dec 02, 2019 at 09:15:08AM -0800, syzbot wrote:
> > Hello,
> >
> > syzbot found the following crash on:
> >
> > HEAD commit: b94ae8ad Merge tag 'seccomp-v5.5-rc1' of git://git.kernel...
> > git tree: upstream
> > console output: https://syzkaller.appspot.com/x/log.txt?x=135a8d7ae00000
> > kernel config: https://syzkaller.appspot.com/x/.config?x=c2e464ae414aee8c
> > dashboard link: https://syzkaller.appspot.com/bug?extid=bea68382bae9490e7dd6
> > compiler: clang version 9.0.0 (/home/glider/llvm/clang
> > 80fee25776c2fb61e74c1ecb1a523375c2500b69)
> > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1135cb36e00000
> > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14e90abce00000
> >
> > IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > Reported-by: syzbot+bea68382bae9490e7dd6@syzkaller.appspotmail.com
> >
> > ==================================================================
> > BUG: KASAN: use-after-free in iov_iter_alignment+0x6a1/0x7b0
> > lib/iov_iter.c:1225
> > Read of size 4 at addr ffff888098d40f54 by task loop0/8203
> >
> > CPU: 0 PID: 8203 Comm: loop0 Not tainted 5.4.0-syzkaller #0
> > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> > Google 01/01/2011
> > Call Trace:
> > __dump_stack lib/dump_stack.c:77 [inline]
> > dump_stack+0x1fb/0x318 lib/dump_stack.c:118
> > print_address_description+0x75/0x5c0 mm/kasan/report.c:374
> > __kasan_report+0x14b/0x1c0 mm/kasan/report.c:506
> > kasan_report+0x26/0x50 mm/kasan/common.c:634
> > __asan_report_load4_noabort+0x14/0x20 mm/kasan/generic_report.c:131
> > iov_iter_alignment+0x6a1/0x7b0 lib/iov_iter.c:1225
> > iomap_dio_bio_actor+0x1a7/0x11e0 fs/iomap/direct-io.c:203
> > iomap_dio_actor+0x2b4/0x4a0 fs/iomap/direct-io.c:375
> > iomap_apply+0x370/0x490 fs/iomap/apply.c:80
> > iomap_dio_rw+0x8ad/0x1010 fs/iomap/direct-io.c:493
> > ext4_dio_read_iter fs/ext4/file.c:77 [inline]
> > ext4_file_read_iter+0x834/0xc20 fs/ext4/file.c:128
> > lo_rw_aio+0xcbb/0xea0 include/linux/fs.h:1889
>
> loopback -> ext4 direct IO, bad access on iov passed to iomap DIO
> code.
>
> > do_req_filebacked drivers/block/loop.c:616 [inline]
> > loop_handle_cmd drivers/block/loop.c:1952 [inline]
> > loop_queue_work+0x13ab/0x2590 drivers/block/loop.c:1966
> > kthread_worker_fn+0x449/0x700 kernel/kthread.c:671
> > loop_kthread_worker_fn+0x40/0x60 drivers/block/loop.c:901
> > kthread+0x332/0x350 kernel/kthread.c:255
> > ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
> >
> > Allocated by task 4198:
> > save_stack mm/kasan/common.c:69 [inline]
> > set_track mm/kasan/common.c:77 [inline]
> > __kasan_kmalloc+0x11c/0x1b0 mm/kasan/common.c:510
> > kasan_slab_alloc+0xf/0x20 mm/kasan/common.c:518
> > slab_post_alloc_hook mm/slab.h:584 [inline]
> > slab_alloc mm/slab.c:3319 [inline]
> > kmem_cache_alloc+0x1f5/0x2e0 mm/slab.c:3483
> > mempool_alloc_slab+0x4d/0x70 mm/mempool.c:513
> > mempool_alloc+0x104/0x5e0 mm/mempool.c:393
> > bio_alloc_bioset+0x1b0/0x5f0 block/bio.c:477
> > bio_alloc include/linux/bio.h:400 [inline]
> > mpage_alloc fs/mpage.c:79 [inline]
> > do_mpage_readpage+0x1685/0x1d10 fs/mpage.c:306
> > mpage_readpages+0x2a9/0x440 fs/mpage.c:404
> > blkdev_readpages+0x2c/0x40 fs/block_dev.c:620
> > read_pages+0xad/0x4d0 mm/readahead.c:126
> > __do_page_cache_readahead+0x480/0x530 mm/readahead.c:212
> > force_page_cache_readahead mm/readahead.c:243 [inline]
> > page_cache_sync_readahead+0x329/0x3b0 mm/readahead.c:522
> > generic_file_buffered_read+0x41d/0x2570 mm/filemap.c:2051
> > generic_file_read_iter+0xa9/0x450 mm/filemap.c:2324
> > blkdev_read_iter+0x12e/0x140 fs/block_dev.c:2039
> > call_read_iter include/linux/fs.h:1889 [inline]
> > new_sync_read fs/read_write.c:414 [inline]
> > __vfs_read+0x59e/0x730 fs/read_write.c:427
> > vfs_read+0x1dd/0x420 fs/read_write.c:461
> > ksys_read+0x117/0x220 fs/read_write.c:587
> > __do_sys_read fs/read_write.c:597 [inline]
> > __se_sys_read fs/read_write.c:595 [inline]
> > __x64_sys_read+0x7b/0x90 fs/read_write.c:595
> > do_syscall_64+0xf7/0x1c0 arch/x86/entry/common.c:294
> > entry_SYSCALL_64_after_hwframe+0x49/0xbe
> >
> > Freed by task 4205:
> > save_stack mm/kasan/common.c:69 [inline]
> > set_track mm/kasan/common.c:77 [inline]
> > kasan_set_free_info mm/kasan/common.c:332 [inline]
> > __kasan_slab_free+0x12a/0x1e0 mm/kasan/common.c:471
> > kasan_slab_free+0xe/0x10 mm/kasan/common.c:480
> > __cache_free mm/slab.c:3425 [inline]
> > kmem_cache_free+0x81/0xf0 mm/slab.c:3693
> > mempool_free_slab+0x1d/0x30 mm/mempool.c:520
> > mempool_free+0xd5/0x350 mm/mempool.c:502
> > bio_put+0x38b/0x460 block/bio.c:255
> > mpage_end_io+0x2f5/0x330 fs/mpage.c:58
> > bio_endio+0x4ff/0x570 block/bio.c:1818
> > req_bio_endio block/blk-core.c:245 [inline]
> > blk_update_request+0x438/0x10d0 block/blk-core.c:1464
> > scsi_end_request+0x8c/0xa20 drivers/scsi/scsi_lib.c:579
> > scsi_io_completion+0x17c/0x1b80 drivers/scsi/scsi_lib.c:963
> > scsi_finish_command+0x3b3/0x560 drivers/scsi/scsi.c:228
> > scsi_softirq_done+0x289/0x310 drivers/scsi/scsi_lib.c:1477
> > blk_done_softirq+0x312/0x370 block/blk-softirq.c:37
> > __do_softirq+0x333/0x7c4 arch/x86/include/asm/paravirt.h:762
>
> Looks like buffered read IO on a loopback device on an ext4 image
> file, and something is being tripped over in the new ext4 direct IO
> path. Might be an iomap issue, might be an ext4 issue, but it looks
> like the buffered read bio completion is running while the iov is
> still being submitted...
Looking a bit more into this, I'm pretty sure this is caused by commit
8cefc107ca54c "pipe: Use head and tail pointers for the ring, not cursor
and length". The pipe dereference it has added to iov_iter_alignment() is
just bogus for all iter types except for pipes. I'll send a fix.
Honza
--
Jan Kara <jack@suse.com>
SUSE Labs, CR
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: KASAN: use-after-free Read in iov_iter_alignment
2019-12-16 10:48 ` Jan Kara
@ 2019-12-16 10:58 ` Jan Kara
0 siblings, 0 replies; 7+ messages in thread
From: Jan Kara @ 2019-12-16 10:58 UTC (permalink / raw)
To: Dave Chinner
Cc: syzbot, darrick.wong, hch, linux-fsdevel, linux-kernel,
linux-xfs, syzkaller-bugs, linux-ext4, David Howells
[-- Attachment #1: Type: text/plain, Size: 1836 bytes --]
On Mon 16-12-19 11:48:36, Jan Kara wrote:
> On Tue 03-12-19 08:10:37, Dave Chinner wrote:
> > [cc linux-ext4@vger.kernel.org - this is reported from the new ext4
> > dio->iomap code]
> >
> > On Mon, Dec 02, 2019 at 09:15:08AM -0800, syzbot wrote:
> > > Hello,
> > >
> > > syzbot found the following crash on:
> > >
> > > HEAD commit: b94ae8ad Merge tag 'seccomp-v5.5-rc1' of git://git.kernel...
> > > git tree: upstream
> > > console output: https://syzkaller.appspot.com/x/log.txt?x=135a8d7ae00000
> > > kernel config: https://syzkaller.appspot.com/x/.config?x=c2e464ae414aee8c
> > > dashboard link: https://syzkaller.appspot.com/bug?extid=bea68382bae9490e7dd6
> > > compiler: clang version 9.0.0 (/home/glider/llvm/clang
> > > 80fee25776c2fb61e74c1ecb1a523375c2500b69)
> > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1135cb36e00000
> > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14e90abce00000
> > >
> > > IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > > Reported-by: syzbot+bea68382bae9490e7dd6@syzkaller.appspotmail.com
> > >
...
> > Looks like buffered read IO on a loopback device on an ext4 image
> > file, and something is being tripped over in the new ext4 direct IO
> > path. Might be an iomap issue, might be an ext4 issue, but it looks
> > like the buffered read bio completion is running while the iov is
> > still being submitted...
>
> Looking a bit more into this, I'm pretty sure this is caused by commit
> 8cefc107ca54c "pipe: Use head and tail pointers for the ring, not cursor
> and length". The pipe dereference it has added to iov_iter_alignment() is
> just bogus for all iter types except for pipes. I'll send a fix.
For reference the fix I've sent is attached.
Honza
--
Jan Kara <jack@suse.com>
SUSE Labs, CR
[-- Attachment #2: 0001-pipe-Fix-bogus-dereference-in-iov_iter_alignment.patch --]
[-- Type: text/x-patch, Size: 1348 bytes --]
From bc27e20fdd29b97b45015e1443128b4d3ff9455e Mon Sep 17 00:00:00 2001
From: Jan Kara <jack@suse.cz>
Date: Mon, 16 Dec 2019 11:44:14 +0100
Subject: [PATCH] pipe: Fix bogus dereference in iov_iter_alignment()
We cannot look at 'i->pipe' unless we know the iter is a pipe. Move the
ring_size load to a branch in iov_iter_alignment() where we've already
checked the iter is a pipe to avoid bogus dereference.
Reported-by: syzbot+bea68382bae9490e7dd6@syzkaller.appspotmail.com
Fixes: 8cefc107ca54 ("pipe: Use head and tail pointers for the ring, not cursor and length")
Signed-off-by: Jan Kara <jack@suse.cz>
---
lib/iov_iter.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
Al, David, not sure who's going to merge this so sending to both :).
Honza
diff --git a/lib/iov_iter.c b/lib/iov_iter.c
index fb29c02c6a3c..51595bf3af85 100644
--- a/lib/iov_iter.c
+++ b/lib/iov_iter.c
@@ -1222,11 +1222,12 @@ EXPORT_SYMBOL(iov_iter_discard);
unsigned long iov_iter_alignment(const struct iov_iter *i)
{
- unsigned int p_mask = i->pipe->ring_size - 1;
unsigned long res = 0;
size_t size = i->count;
if (unlikely(iov_iter_is_pipe(i))) {
+ unsigned int p_mask = i->pipe->ring_size - 1;
+
if (size && i->iov_offset && allocated(&i->pipe->bufs[i->head & p_mask]))
return size | i->iov_offset;
return size;
--
2.16.4
^ permalink raw reply related [flat|nested] 7+ messages in thread
end of thread, other threads:[~2019-12-16 10:58 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <000000000000ad9f910598bbb867@google.com>
2019-12-02 21:10 ` KASAN: use-after-free Read in iov_iter_alignment Dave Chinner
2019-12-02 23:11 ` Matthew Bobrowski
2019-12-13 11:30 ` Jan Kara
2019-12-15 10:24 ` Matthew Bobrowski
2019-12-16 10:32 ` Jan Kara
2019-12-16 10:48 ` Jan Kara
2019-12-16 10:58 ` Jan Kara
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).