[v6.1] KASAN: use-after-free Read in udf_free_inode
1 view
Skip to first unread message
syzbot
Jul 1, 2024, 12:17:20 PM7/1/24
Hello,
syzbot found the following issue on:
HEAD commit: 99e6a620de00 Linux 6.1.96
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=178157fa980000
kernel config: https://syzkaller.appspot.com/x/.config?x=8695f134c8d5830a
dashboard link: https://syzkaller.appspot.com/bug?extid=bc5ff6826e62c196ea3a
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/58c038f7d058/disk-99e6a620.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/6f70b0b239b0/vmlinux-99e6a620.xz
kernel image: https://storage.googleapis.com/syzbot-assets/c1423cf0fcc7/bzImage-99e6a620.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: [email protected]
==================================================================
BUG: KASAN: use-after-free in udf_free_inode+0x269/0x2d0
Read of size 4 at addr ffff8880953d3b90 by task syz.2.560/6735
CPU: 0 PID: 6735 Comm: syz.2.560 Not tainted 6.1.96-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106
print_address_description mm/kasan/report.c:284 [inline]
print_report+0x15f/0x4f0 mm/kasan/report.c:395
kasan_report+0x136/0x160 mm/kasan/report.c:495
udf_free_inode+0x269/0x2d0
evict+0x2a4/0x620 fs/inode.c:666
do_unlinkat+0x509/0x820 fs/namei.c:4399
__do_sys_unlink fs/namei.c:4440 [inline]
__se_sys_unlink fs/namei.c:4438 [inline]
__x64_sys_unlink+0x45/0x50 fs/namei.c:4438
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7fe833d75b99
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fe834a98048 EFLAGS: 00000246 ORIG_RAX: 0000000000000057
RAX: ffffffffffffffda RBX: 00007fe833f04078 RCX: 00007fe833d75b99
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000020000100
RBP: 00007fe833df677e R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000006e R14: 00007fe833f04078 R15: 00007ffd6b07cbb8
</TASK>
The buggy address belongs to the physical page:
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at [email protected].
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 99e6a620de00 Linux 6.1.96
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=178157fa980000
kernel config: https://syzkaller.appspot.com/x/.config?x=8695f134c8d5830a
dashboard link: https://syzkaller.appspot.com/bug?extid=bc5ff6826e62c196ea3a
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/58c038f7d058/disk-99e6a620.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/6f70b0b239b0/vmlinux-99e6a620.xz
kernel image: https://storage.googleapis.com/syzbot-assets/c1423cf0fcc7/bzImage-99e6a620.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: [email protected]
==================================================================
BUG: KASAN: use-after-free in udf_free_inode+0x269/0x2d0
Read of size 4 at addr ffff8880953d3b90 by task syz.2.560/6735
CPU: 0 PID: 6735 Comm: syz.2.560 Not tainted 6.1.96-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106
print_address_description mm/kasan/report.c:284 [inline]
print_report+0x15f/0x4f0 mm/kasan/report.c:395
kasan_report+0x136/0x160 mm/kasan/report.c:495
udf_free_inode+0x269/0x2d0
evict+0x2a4/0x620 fs/inode.c:666
do_unlinkat+0x509/0x820 fs/namei.c:4399
__do_sys_unlink fs/namei.c:4440 [inline]
__se_sys_unlink fs/namei.c:4438 [inline]
__x64_sys_unlink+0x45/0x50 fs/namei.c:4438
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7fe833d75b99
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fe834a98048 EFLAGS: 00000246 ORIG_RAX: 0000000000000057
RAX: ffffffffffffffda RBX: 00007fe833f04078 RCX: 00007fe833d75b99
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000020000100
RBP: 00007fe833df677e R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000006e R14: 00007fe833f04078 R15: 00007ffd6b07cbb8
</TASK>
The buggy address belongs to the physical page:
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at [email protected].
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot
Oct 9, 2024, 12:17:13 PM10/9/24
Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.
Crashes did not happen for a while, no reproducer and no activity.
Reply all
Reply to author
Forward
0 new messages