Adding Doug as this involves the SG driver, which has a slightly unusual usage of the blk-map.c code. Does anyone know if the __asan_storeN in the trace implies the memory stored to was invalid and not the memory read from? On Sun, Apr 17, 2016 at 06:57:34AM -0400, Sasha Levin wrote: > Hi all, > > I've hit the following while fuzzing with syzkaller inside a KVM tools guest > running the latest -next kernel: > > [ 1886.693996] BUG: KASAN: use-after-free in memcpy+0x28/0x40 at addr ffff8800b53f902a > > [ 1886.694003] Write of size 1320 by task syz-executor/30711 > > [ 1886.694020] page:ffffea0002d4fe40 count:0 mapcount:-127 mapping: (null) index:0x0 > > [ 1886.694025] flags: 0x1fffff80000000() > > [ 1886.694030] page dumped because: kasan: bad access detected > > [ 1886.694050] CPU: 0 PID: 30711 Comm: syz-executor Not tainted 4.6.0-rc3-next-20160412-sasha-00023-g0b02d6d-dirty #2998 > > [ 1886.694072] 0000000000000000 000000009c413b9b ffff8800ae5f71f0 ffffffff9efc9d01 > > [ 1886.694086] ffffffff00000000 fffffbfff53ad2a0 0000000041b58ab3 ffffffffa965eee0 > > [ 1886.694101] ffffffff9efc9b88 ffff8800ae5f71d0 ffffffff9d6d0a8f ffffffff9d5229b3 > > [ 1886.694105] Call Trace: > > [ 1886.694139] dump_stack (lib/dump_stack.c:53) > [ 1886.694221] kasan_report_error (include/linux/kasan.h:28 mm/kasan/report.c:211 mm/kasan/report.c:277) > [ 1886.694256] kasan_report (mm/kasan/report.c:299) > [ 1886.694331] __asan_storeN (mm/kasan/kasan.c:738) > [ 1886.694339] memcpy (mm/kasan/kasan.c:321) > [ 1886.694351] copy_to_iter (lib/iov_iter.c:395 (discriminator 15)) > [ 1886.694361] copy_page_to_iter (lib/iov_iter.c:454) > [ 1886.694377] bio_uncopy_user (block/bio.c:1065 block/bio.c:1105) > [ 1886.694442] __blk_rq_unmap_user (block/blk-map.c:54) > [ 1886.694454] blk_rq_unmap_user (block/blk-map.c:209) > [ 1886.694463] sg_finish_rem_req (drivers/scsi/sg.c:1793) > [ 1886.694471] sg_read (drivers/scsi/sg.c:538) > [ 1886.694527] do_loop_readv_writev (fs/read_write.c:734) > [ 1886.694557] do_readv_writev (fs/read_write.c:863) > [ 1886.694621] vfs_readv (fs/read_write.c:887) > [ 1886.694634] default_file_splice_read (fs/splice.c:584 fs/splice.c:659) > [ 1886.694745] do_splice_to (fs/splice.c:1151) > [ 1886.694755] SyS_splice (fs/splice.c:1427 fs/splice.c:1704 fs/splice.c:1687) > [ 1886.694827] do_syscall_64 (arch/x86/entry/common.c:350) > [ 1886.694838] entry_SYSCALL64_slow_path (arch/x86/entry/entry_64.S:251) > [ 1886.694841] Memory state around the buggy address: > > [ 1886.694855] ffff8800b53f8f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > > [ 1886.694862] ffff8800b53f8f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > > [ 1886.694869] >ffff8800b53f9000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff > > [ 1886.694872] ^ > > [ 1886.694878] ffff8800b53f9080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff > > [ 1886.694885] ffff8800b53f9100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff > > -- > To unsubscribe from this list: send the line "unsubscribe linux-block" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html ---end quoted text--- -- To unsubscribe from this list: send the line "unsubscribe linux-block" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
