User-memory-access in ext4_orphan_del

From: Andrey Konovalov
Date: Thu Sep 17 2015 - 09:01:37 EST

Next message: Tomeu Vizoso: "[PATCH v5 13/23] pwm: Probe PWM chip devices on demand"
Previous message: Tomeu Vizoso: "[PATCH v5 15/23] usb: phy: Probe phy devices on demand"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi!

While fuzzing the kernel (d25ed277fbd) with KASAN and Trinity I got
the report below.

This report is followed by:
kernel BUG at fs/buffer.c:3025
BUG: KASan: use after free in mutex_optimistic_spin

Crash log is here:
https://gist.github.com/xairy/3b7fcf1cd2541c64c8d1

Here is another crash log that I got in a separate run (starts with
kernel BUG at fs/ext4/ext4.h:2610!), but it seems somewhat similar:
https://gist.github.com/xairy/6ab010c20eb437ec23af

==================================================================
BUG: KASan: user-memory-access on address dead000000000108
Write of size 8 by task rs:main Q:Reg/2999
CPU: 0 PID: 2999 Comm: rs:main Q:Reg Not tainted 4.3.0-rc1-kasan #9
Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2007
ffff880034067990 ffff880034507a40 ffffffff814a3aac 0000000000000297
ffff880034507a60 ffffffff812107a9 ffff8800340679d0 dead000000000200
ffff880034507a98 ffffffff8120f1ca dead000000000108 ffff880034507a98
Call Trace:
[<ffffffff814a3aac>] dump_stack+0x44/0x58 lib/dump_stack.c:15
[<ffffffff812107a9>] kasan_report_user_access+0x89/0xb0 ??:0
[<ffffffff8120f1ca>] __asan_store8+0x8a/0xa0 ??:0
[< inline >] ? __list_del include/linux/list.h:89
[< inline >] ? __list_del_entry include/linux/list.h:102
[< inline >] ? list_del_init include/linux/list.h:145
[<ffffffff812e8874>] ? ext4_orphan_del+0x114/0x3a0 fs/ext4/namei.c:2859
[< inline >] __list_del include/linux/list.h:89
[< inline >] __list_del_entry include/linux/list.h:102
[< inline >] list_del_init include/linux/list.h:145
[<ffffffff812e8874>] ext4_orphan_del+0x114/0x3a0 fs/ext4/namei.c:2859
[<ffffffff812d89cc>] ext4_truncate+0x50c/0x640 fs/ext4/inode.c:3797
[<ffffffff812d9248>] ext4_da_write_begin+0x228/0x3a0 fs/ext4/truncate.h:14
[<ffffffff811a1e62>] generic_perform_write+0x112/0x2e0 mm/filemap.c:2476
[<ffffffff811a49f3>] __generic_file_write_iter+0x253/0x2f0 mm/filemap.c:2622
[<ffffffff81115e9a>] ? get_futex_key_refs.isra.12+0x1a/0x50 kernel/futex.c:399
[< inline >] ? iov_iter_truncate include/linux/uio.h:136
[<ffffffff811a236e>] ? generic_write_checks+0x12e/0x210 mm/filemap.c:2333
[<ffffffff812c95ab>] ext4_file_write_iter+0x16b/0x5f0 file.c:0
[<ffffffff811165fc>] ? futex_wake+0x8c/0x1d0 kernel/futex.c:611
[<ffffffff814be772>] ? iov_iter_init+0x82/0xc0 ??:0
[<ffffffff81217818>] __vfs_write+0x128/0x170 ??:0
[<ffffffff812180ab>] vfs_write+0xeb/0x250 ??:0
[<ffffffff81219283>] SyS_write+0x53/0xb0 ??:0
[<ffffffff81d4ed62>] tracesys_phase2+0x84/0x89 arch/x86/entry/entry_64.S:269
==================================================================
general protection fault: 0000 [#1] SMP KASAN
Modules linked in:
CPU: 0 PID: 2999 Comm: rs:main Q:Reg Not tainted 4.3.0-rc1-kasan #9
Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2007
task: ffff880033d75940 ti: ffff880034500000 task.ti: ffff880034500000
RIP: 0010:[<ffffffff812e887b>] [<ffffffff812e887b>] ext4_orphan_del+0x11b/0x3a0
RSP: 0018:ffff880034507aa8 EFLAGS: 00010297
RAX: dead000000000100 RBX: ffff8800340679d0 RCX: 0000000000000042
RDX: 1ffffffff04a6bd0 RSI: 0000000000000297 RDI: dead000000000200
RBP: ffff880034507b30 R08: 000000000000003d R09: 000000000000003d
R10: ffffffff824c057b R11: 3d3d3d3d3d3d3d3d R12: dead000000000200
R13: ffff880034ac40c0 R14: 0000000000000000 R15: ffff880034067990
FS: 00007f8731819700(0000) GS:ffff880036400000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fffc6cbdfc8 CR3: 0000000032b96000 CR4: 00000000000006f0
DR0: 00007f0dd31d7000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
Stack:
ffff8800340679f8 ffff880034ac42d0 dead000000000200 ffff880034067910
dead000000000100 ffff880034216b80 ffff8800341f9238 0000000000000b00
ffff880000000002 ffff8800341f9238 0000000000000b00 ffff880000000002
Call Trace:
[<ffffffff812d89cc>] ext4_truncate+0x50c/0x640 fs/ext4/inode.c:3797
[<ffffffff812d9248>] ext4_da_write_begin+0x228/0x3a0 fs/ext4/truncate.h:14
[<ffffffff811a1e62>] generic_perform_write+0x112/0x2e0 mm/filemap.c:2476
[<ffffffff811a49f3>] __generic_file_write_iter+0x253/0x2f0 mm/filemap.c:2622
[<ffffffff81115e9a>] ? get_futex_key_refs.isra.12+0x1a/0x50 kernel/futex.c:399
[< inline >] ? iov_iter_truncate include/linux/uio.h:136
[<ffffffff811a236e>] ? generic_write_checks+0x12e/0x210 mm/filemap.c:2333
[<ffffffff812c95ab>] ext4_file_write_iter+0x16b/0x5f0 file.c:0
[<ffffffff811165fc>] ? futex_wake+0x8c/0x1d0 kernel/futex.c:611
[<ffffffff814be772>] ? iov_iter_init+0x82/0xc0 ??:0
[<ffffffff81217818>] __vfs_write+0x128/0x170 ??:0
[<ffffffff812180ab>] vfs_write+0xeb/0x250 ??:0
[<ffffffff81219283>] SyS_write+0x53/0xb0 ??:0
[<ffffffff81d4ed62>] tracesys_phase2+0x84/0x89 arch/x86/entry/entry_64.S:269
Code: ff 48 8b 43 c0 49 8d 7c 24 08 48 89 45 98 e8 9d 6c f2 ff 48 8b
45 98 4c 8b 63 c8 48 8d 78 08 e8 cc 68 f2 ff 48 8b 45 98 4c 89 e7 <4c>
89 60 08 e8 bc 68 f2 ff 48 8b 45 98 45 85 f6 49 89 04 24 4c
RIP [< inline >] __list_del include/linux/list.h:90
RIP [< inline >] __list_del_entry include/linux/list.h:102
RIP [< inline >] list_del_init include/linux/list.h:145
RIP [<ffffffff812e887b>] ext4_orphan_del+0x11b/0x3a0 fs/ext4/namei.c:2859
RSP <ffff880034507aa8>
---[ end trace 73c806d9f233bae7 ]---
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Tomeu Vizoso: "[PATCH v5 13/23] pwm: Probe PWM chip devices on demand"
Previous message: Tomeu Vizoso: "[PATCH v5 15/23] usb: phy: Probe phy devices on demand"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]