From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 30972E77188 for ; Tue, 24 Dec 2024 12:13:43 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 5E6346B0082; Tue, 24 Dec 2024 07:13:42 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 5956A6B0083; Tue, 24 Dec 2024 07:13:42 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 45DCA6B0085; Tue, 24 Dec 2024 07:13:42 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0010.hostedemail.com [216.40.44.10]) by kanga.kvack.org (Postfix) with ESMTP id 2720E6B0082 for ; Tue, 24 Dec 2024 07:13:42 -0500 (EST) Received: from smtpin19.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay08.hostedemail.com (Postfix) with ESMTP id A88851407A3 for ; Tue, 24 Dec 2024 12:13:41 +0000 (UTC) X-FDA: 82929741636.19.11644B8 Received: from smtpbguseast1.qq.com (smtpbguseast1.qq.com [54.204.34.129]) by imf17.hostedemail.com (Postfix) with ESMTP id 88D024000B for ; Tue, 24 Dec 2024 12:13:08 +0000 (UTC) Authentication-Results: imf17.hostedemail.com; dkim=pass header.d=m.fudan.edu.cn header.s=sorc2401 header.b=kd4FAsii; dmarc=pass (policy=reject) header.from=m.fudan.edu.cn; spf=pass (imf17.hostedemail.com: domain of huk23@m.fudan.edu.cn designates 54.204.34.129 as permitted sender) smtp.mailfrom=huk23@m.fudan.edu.cn ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1735042401; a=rsa-sha256; cv=none; b=zy3DSe2MbS8n5PjhG5mS48Up/8ARlPZ+rXOYEdJpgaOYhMP53hGR5Hslt3dURrwWGLythY 8NB1mOZRxJN0XeA/xy5OXKeC07qLp8y3UkdJqR3SkTjDRVi8gfsd+FRhuqhBlA/9JP50LQ 1IVA+ItBCgdo/aFekGOrCWpID5clIaU= ARC-Authentication-Results: i=1; imf17.hostedemail.com; dkim=pass header.d=m.fudan.edu.cn header.s=sorc2401 header.b=kd4FAsii; dmarc=pass (policy=reject) header.from=m.fudan.edu.cn; spf=pass (imf17.hostedemail.com: domain of huk23@m.fudan.edu.cn designates 54.204.34.129 as permitted sender) smtp.mailfrom=huk23@m.fudan.edu.cn ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1735042401; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:in-reply-to: references:dkim-signature; bh=rkpjt/0kCY6RsR/jYn9RVxlO8NjfMXJZdTQx6GjFKWA=; b=udH+IjbEESSoIhNZDOV26VQNmWQaKVNA2RmffxeEg+fwJFruqu4GKT+NDPx40EAusG5m0G jr0FqT69rPVIA42Zv/vBGiW5015lQ2VONYt3vczlkkIP67UubVUYIixmSm/qbSTCwz4BiX xbeZDygel5CkizxyHV1ICFfE60uJlXA= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=m.fudan.edu.cn; s=sorc2401; t=1735042401; bh=rkpjt/0kCY6RsR/jYn9RVxlO8NjfMXJZdTQx6GjFKWA=; h=From:Mime-Version:Subject:Message-Id:Date:To; b=kd4FAsiiFVLH/fpKikWBG6MOzlzwLABUiQqzF6GIReaJqqkSbQse85Tv4PRz+Q6sc rwir7EKPvBT0q+bjk9d6LdWVd/u2NDtTC+UiCOweNgC1I1gYsqnzyLhe7CQnmDC3xi L3ALH1f2bR2KPZ3EyKkjExy/tTFSSCOWXmaairpE= X-QQ-mid: bizesmtpip2t1735042393tuvnhuu X-QQ-Originating-IP: IGiUvjByTxHm5mL9Ak77rUjuM2ILe1Ni+jSuCDFiJaI= Received: from smtpclient.apple ( [localhost]) by bizesmtp.qq.com (ESMTP) with id ; Tue, 24 Dec 2024 20:13:11 +0800 (CST) X-QQ-SSF: 0000000000000000000000000000000 X-QQ-GoodBg: 0 X-BIZMAIL-ID: 2847468413910816181 From: Kun Hu Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3818.100.11.1.3\)) Subject: Re: [syzbot] [mm?] KASAN: slab-use-after-free Read in __mmap_region Message-Id: <29B3EC03-A27C-4BC6-A8C5-F7A4497D8CED@m.fudan.edu.cn> Date: Tue, 24 Dec 2024 20:13:01 +0800 Cc: linux-mm@kvack.org, linux-kernel@vger.kernel.org, "jjtan24@m.fudan.edu.cn" To: akpm@linux-foundation.org, Liam.Howlett@oracle.com, lorenzo.stoakes@oracle.com, vbabka@suse.cz, jannh@google.com X-Mailer: Apple Mail (2.3818.100.11.1.3) X-QQ-SENDSIZE: 520 Feedback-ID: bizesmtpip:m.fudan.edu.cn:qybglogicsvrgz:qybglogicsvrgz8a-1 X-QQ-XMAILINFO: NvH2zBBgt3uT1lQvt+zVCRvLHrmLDmjitQyAiY17d/6ln56Q8M6YF4VL 3zEfKBw6oWd92YY/pnEPoyE7hOpqxleA32+o4KAktYVz4taQJ+YnRJxtVYTw7UHoF8TrY1t EO5SIHHKZf00st1xMfjU8M1ZsU3B6meGvKagWSQzyJ1xIXnx0vKuWWxeK2itZMiZbxkbbQM k8iXQ4LLF1pUIM1tjhtjzCxo2Js4W4+MxPjj3YFwkonJAGcRz9z3Uj7Z2fXNdvGjlSO+ugA uiqnyRXdtp4xXX5FEe2miLhZjYhPrhJmGM7sKxl4Q5/08Ku65BfhG29CFza1gHgIIXSF2At bwOlp6Q7oD9wUkW/7nJE+VystZjZhFaHHGwEx3Gcl5QSIXc+1juKne0UqnT+/A81bJ4ot0a 7JvfUejLgn0YjNpVJRS+TRbBEYccNMgUJFCF4P97pD01PR1nzTqRwHg7roGjZuL+X6aqBIa PLXCfO9wXariVtuXJ1P2D5t+cp5x3AfubFBPTH8rjopHWCJzwBh0CfpdDS+c5Qo3FTPpsmY atzrNg1QQFI60FdTH8W3g8Ca73VkmuHfh2ENQ8+uzVHfmYIPTAPZ2E1n5R1+cTKelLDmdUk iCt+x6fyAcN6j/kgFNFd819EQql00zTkQ7a18FLHSNoyj0namY7KDpTLkE2CHo4enKlVwLc t5ayFsUA1Kq/wYmyTdPPajA0a0mk+GX12RxggZHiE5+OLiXmcUjmhieCxtNs4+m+C8c9wYr 6sm+jjZOZ/GtUBBjBbMnOhcg1R2sINjZ3bctnHFzc9MFih2ha+h53LAi12n0cEyt68QaYmD CQOw8DtbKAVI+g0qxRMzy622wGApnmG0m3a8RiGazcnMeaMeJhK3bhcMIwJZE1Bpfs7jaZw uOhB59D7+ojUwFX7IrRxAtGYIsIpq+J6MRhRwPM5otZyFjbP8ddpuTJvImW4XVVGGqB0SVs fy/DM8fDH4M7x1kV04838TcK+n7oWuxi+3L/cKZWXOonDCNW5S8c24cQWU7lV2YWw+Oy8BL t35/Awa9hH4M4OUyeS X-QQ-XMRINFO: OD9hHCdaPRBwq3WW+NvGbIU= X-QQ-RECHKSPAM: 0 X-Rspam-User: X-Rspamd-Server: rspam03 X-Rspamd-Queue-Id: 88D024000B X-Stat-Signature: 7s7qsmrrnizsyzsnqg8xuqi3hapg1nm8 X-HE-Tag: 1735042388-516281 X-HE-Meta: U2FsdGVkX18bB+xrhYmmQ7d01/Rcm9TN7mvceBbmi7o90+e4MPBYx7sbTB4cqs/QGDgDKCwIL8ZihAZ+ACJWYUVMdv4CfUsKq33LIs2MLe1PaTxTjZKYO2O5y8QbBUevrVREI8qPqABwqucuAUd3ZBSr2SAsJNX+Zs6u/OgNSZSYkfTeb9zGzqiMwHgVL7m9uD7vu6Qtx9Eia+QvA6TmGnuVOBE/EWKqJRseKMplI/8UpVxWpI/YgVrjdDNR2+kk7VtcOEFY0zdU5JLpPWqr7UPJNGua4RpNu9lbeaC+wXjO6Y6krykzHop7gsRixjGgGEqfqIdnuChDyNGIgcHHBTzbT/pI8oqKbjWQKzy0QgvhjeXf80pgxsrUp3MSKlaN+FZ5cvA1OzPL5vYoIBYGZmvEXtaohiZY1GauGbF1UpkiBgXQ3jsPeuDeLQ87VEjoAZ2mf+D2iwSzgFKa5zd3sd/1kj+3uzHVPGG/SUQv0qikb9dRd/4Bdg2UtfvpigbeaFbzAVYT6glOnOb/lldZmpT8pJz+Qojihzy6uxFqZcbR5k9Qp0waqoDZwTitJ1u85MTrAwJLedkEbgC7uMrxLXkbDOnxPOQw069GxqOmG5XcJ9NRCeqwaRda3v/j3C0m9AW21j7Hjc0993tnPmeoIzKuu8q7IMk2qqTjCapbMLGVvvGW4GFGqVmlxzK54xn2LZRGbAgRqSDOhnBb5iNh2zCA1GS/fv5t0QnWPoHSpk8ZYartO2SDuyyE9mDq5pa9g/KtT9wzCXfMDLsN0NH8LMvlG+vSJSwmAFMTqqxYDVercEyjOFhM8mtOwPis8AUiQlIVHYudfQgp0IyNQuQJyOfQSdHpk79q8fkeHZ7i+3fk/MqgOinpWzvYJgnhO7GsE2BG9sn2yrfHaiSNPyU6JCBHzaAlRDrW/EX6yQxBfKf4zjl70Urt0HHOVxj3L8EXk9/6AOFxsugdNhPKvtQ cWt7LiO+ nrqpaul/WCoeXrN7B2ChLGS54ZiG5Dlp5v/5CmAXkvBPR9IYbBYSa4/0Tv7704PWpnNX5xZfVMpqanQDhKWopfd4QAVNN9lOUEonYagYOi2Yn9h3neH/qhi/CBLAol9ZJLWr7/l22qtA3yBxq2ml1ptIDCQgT8E20OZ+H/89V47OcbZTgmjWVN9seeVNF1PdMFP1NB3UPFZMugDWh73W8HeFyQaweyNbjHVTuTr39QDGutDLqx6p8oxRGT9XNgWSFXV2j2bgC5EQX/rXt2jMY9qZYgpTBi0TnnA4ajeN0bUghH+kVMgYYYSTn52Br+C3sHck+yApcm97kcTgpRxSS7WMl/jbqm9YJrtNaB1YmJk+6GsjZGSOljPes2yBjmVdlaOJene1LqMWHMJoAvEBpiJ+QJBnx9IQ0HKdg8DIUlTKO3ce7UWUpp/r+MdsS5DdIl1oD0zIsSXAviExZZ9qsjSgq5tBxmlYGy3t9ohNyfabp8CWgQnkVCOtIOly/qIJC2EXSEUhe5c4kl9M= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000154, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: Hello, When using fuzzer tool to fuzz the latest Linux kernel, the following = crash was triggered. HEAD commit: 78d4f34e2115b517bcbfe7ec0d018bbbb6f9b0b8 git tree: upstream Console output: = https://drive.google.com/file/d/1_GxT_B3JkCE8Q6r6PGgG27uNn5cgzZm3/view?usp= =3Dsharing Kernel config: = https://drive.google.com/file/d/1RhT5dFTs6Vx1U71PbpenN7TPtnPoa3NI/view?usp= =3Dsharing C reproducer: = https://drive.google.com/file/d/1zyZSM-hp1UInnE-AA9J3NXmMCV7DCqgf/view?usp= =3Dsharing Syzlang reproducer: = https://drive.google.com/file/d/1W0yvbKYi6GaAaG0YNeDVacN3eEa8rxot/view?usp= =3Dsharing We are triggering the same issue and I hope this information is useful = to you. If you fix this issue, please let me know. =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D BUG: KASAN: slab-use-after-free in __mmap_complete mm/vma.c:2408 = [inline] BUG: KASAN: slab-use-after-free in __mmap_region+0x22d6/0x2700 = mm/vma.c:2469 Read of size 8 at addr ff110000085279c0 by task syz-executor339/448 CPU: 2 UID: 0 PID: 448 Comm: syz-executor339 Not tainted 6.13.0-rc3 #8 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS = 1.13.0-1ubuntu1.1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1b0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xcf/0x5f0 mm/kasan/report.c:489 kasan_report+0x93/0xc0 mm/kasan/report.c:602 __mmap_complete mm/vma.c:2408 [inline] __mmap_region+0x22d6/0x2700 mm/vma.c:2469 mmap_region+0x265/0x300 mm/mmap.c:1348 do_mmap+0xc3f/0x1000 mm/mmap.c:496 vm_mmap_pgoff+0x1b3/0x380 mm/util.c:580 ksys_mmap_pgoff+0x477/0x600 mm/mmap.c:542 __do_sys_mmap arch/x86/kernel/sys_x86_64.c:89 [inline] __se_sys_mmap arch/x86/kernel/sys_x86_64.c:82 [inline] __x64_sys_mmap+0x127/0x190 arch/x86/kernel/sys_x86_64.c:82 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xc3/0x1d0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f53b07cbb1d Code: c3 e8 37 2a 00 00 0f 1f 80 00 00 00 00 f3 0f 1e fa 48 89 f8 48 89 = f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 = f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffe3353bbe8 EFLAGS: 00000246 ORIG_RAX: 0000000000000009 RAX: ffffffffffffffda RBX: 00000000000172cc RCX: 00007f53b07cbb1d RDX: 0000000000000008 RSI: 0000000000001000 RDI: 0000000020ffe000 RBP: 0000000000000000 R08: 0000000000000004 R09: 0000000000000000 R10: 0000000000000011 R11: 0000000000000246 R12: 00007ffe3353bc04 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 Allocated by task 448: kasan_save_stack+0x24/0x50 mm/kasan/common.c:47 kasan_save_track+0x14/0x30 mm/kasan/common.c:68 unpoison_slab_object mm/kasan/common.c:319 [inline] __kasan_slab_alloc+0x87/0x90 mm/kasan/common.c:345 kasan_slab_alloc include/linux/kasan.h:250 [inline] slab_post_alloc_hook mm/slub.c:4119 [inline] slab_alloc_node mm/slub.c:4168 [inline] kmem_cache_alloc_noprof+0x154/0x420 mm/slub.c:4175 vm_area_alloc+0x20/0x200 kernel/fork.c:472 __mmap_new_vma mm/vma.c:2340 [inline] __mmap_region+0x1219/0x2700 mm/vma.c:2456 mmap_region+0x265/0x300 mm/mmap.c:1348 do_mmap+0xc3f/0x1000 mm/mmap.c:496 vm_mmap_pgoff+0x1b3/0x380 mm/util.c:580 ksys_mmap_pgoff+0x477/0x600 mm/mmap.c:542 __do_sys_mmap arch/x86/kernel/sys_x86_64.c:89 [inline] __se_sys_mmap arch/x86/kernel/sys_x86_64.c:82 [inline] __x64_sys_mmap+0x127/0x190 arch/x86/kernel/sys_x86_64.c:82 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xc3/0x1d0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 425: kasan_save_stack+0x24/0x50 mm/kasan/common.c:47 kasan_save_track+0x14/0x30 mm/kasan/common.c:68 kasan_save_free_info+0x3a/0x60 mm/kasan/generic.c:582 poison_slab_object mm/kasan/common.c:247 [inline] __kasan_slab_free+0x54/0x70 mm/kasan/common.c:264 kasan_slab_free include/linux/kasan.h:233 [inline] slab_free_hook mm/slub.c:2353 [inline] slab_free mm/slub.c:4613 [inline] kmem_cache_free+0x126/0x4d0 mm/slub.c:4715 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0x7cb/0x16c0 kernel/rcu/tree.c:2823 handle_softirqs+0x1ad/0x870 kernel/softirq.c:561 __do_softirq kernel/softirq.c:595 [inline] invoke_softirq kernel/softirq.c:435 [inline] __irq_exit_rcu kernel/softirq.c:662 [inline] irq_exit_rcu+0xee/0x140 kernel/softirq.c:678 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 = [inline] sysvec_apic_timer_interrupt+0x94/0xb0 arch/x86/kernel/apic/apic.c:1049 asm_sysvec_apic_timer_interrupt+0x1a/0x20 = arch/x86/include/asm/idtentry.h:702 Last potentially related work creation: kasan_save_stack+0x24/0x50 mm/kasan/common.c:47 __kasan_record_aux_stack+0xa6/0xc0 mm/kasan/generic.c:544 __call_rcu_common.constprop.0+0x99/0x790 kernel/rcu/tree.c:3086 vma_complete+0x671/0xb70 mm/vma.c:310 commit_merge+0x7b3/0xec0 mm/vma.c:674 vma_merge_existing_range+0xd7a/0x1f10 mm/vma.c:897 __mmap_region+0x11e4/0x2700 mm/vma.c:2466 mmap_region+0x265/0x300 mm/mmap.c:1348 do_mmap+0xc3f/0x1000 mm/mmap.c:496 vm_mmap_pgoff+0x1b3/0x380 mm/util.c:580 ksys_mmap_pgoff+0x477/0x600 mm/mmap.c:542 __do_sys_mmap arch/x86/kernel/sys_x86_64.c:89 [inline] __se_sys_mmap arch/x86/kernel/sys_x86_64.c:82 [inline] __x64_sys_mmap+0x127/0x190 arch/x86/kernel/sys_x86_64.c:82 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xc3/0x1d0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ff110000085279a0 which belongs to the cache vm_area_struct of size 160 The buggy address is located 32 bytes inside of freed 160-byte region [ff110000085279a0, ff11000008527a40) The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 = pfn:0x8527 anon flags: 0x100000000000000(node=3D0|zone=3D1) page_type: f5(slab) raw: 0100000000000000 ff110000014cb680 ffd400000019bf40 dead00000000000d raw: 0000000000000000 0000000000120012 00000001f5000000 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ff11000008527880: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb ff11000008527900: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc >ff11000008527980: fc fc fc fc fa fb fb fb fb fb fb fb fb fb fb fb ^ ff11000008527a00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ff11000008527a80: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D --------------- thanks, Kun Hu=