On Sun, Jan 27, 2019 at 9:01 AM syzbot <syzbot+4df6ca820108fd248943@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote: > > Hello, > > syzbot found the following crash on: > > HEAD commit: 7930851ef10c Merge tag 'scsi-fixes' of git://git.kernel.or.. > git tree: upstream > console output: https://syzkaller.appspot.com/x/log.txt?x=1002c77f400000 > kernel config: https://syzkaller.appspot.com/x/.config?x=505743eba4e4f68 > dashboard link: https://syzkaller.appspot.com/bug?extid=4df6ca820108fd248943 > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > > Unfortunately, I don't have any reproducer for this crash yet. > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > Reported-by: syzbot+4df6ca820108fd248943@xxxxxxxxxxxxxxxxxxxxxxxxx Mainline tree crashes on boot. +generic_make_request maintainers [ 7.485069] ================================================================== [ 7.486411] BUG: KASAN: use-after-free in generic_make_request+0x14dd/0x1810 [ 7.487539] Read of size 2 at addr ffff8880a39618d4 by task swapper/0/1 [ 7.488689] [ 7.488970] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.0.0-rc3+ #45 [ 7.490025] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 7.491484] Call Trace: [ 7.491484] dump_stack+0x1db/0x2d0 [ 7.491484] ? dump_stack_print_info.cold+0x20/0x20 [ 7.491484] ? generic_make_request+0x14dd/0x1810 [ 7.491484] print_address_description.cold+0x7c/0x20d [ 7.491484] ? generic_make_request+0x14dd/0x1810 [ 7.491484] ? generic_make_request+0x14dd/0x1810 [ 7.491484] kasan_report.cold+0x1b/0x40 [ 7.491484] ? generic_make_request+0x14dd/0x1810 [ 7.491484] __asan_report_load2_noabort+0x14/0x20 [ 7.491484] generic_make_request+0x14dd/0x1810 [ 7.491484] ? rcu_dynticks_curr_cpu_in_eqs+0xa2/0x170 [ 7.491484] ? blk_queue_enter+0x1200/0x1200 [ 7.491484] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 7.491484] ? check_preemption_disabled+0x48/0x290 [ 7.491484] ? guard_bio_eod+0x1cc/0x630 [ 7.491484] ? find_held_lock+0x35/0x120 [ 7.491484] ? guard_bio_eod+0x1cc/0x630 [ 7.491484] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 7.491484] submit_bio+0xba/0x480 [ 7.491484] ? submit_bio+0xba/0x480 [ 7.491484] ? rcu_read_unlock_special+0x380/0x380 [ 7.491484] ? generic_make_request+0x1810/0x1810 [ 7.491484] ? __bio_add_page+0x11e/0x280 [ 7.491484] ? __sanitizer_cov_trace_cmp8+0x18/0x20 [ 7.491484] ? guard_bio_eod+0x293/0x630 [ 7.491484] submit_bh_wbc+0x5f7/0x7f0 [ 7.491484] block_read_full_page+0x946/0xfe0 [ 7.491484] ? check_disk_change+0x140/0x140 [ 7.491484] ? __bread_gfp+0x300/0x300 [ 7.491484] ? __inc_numa_state+0x49/0xe0 [ 7.491484] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 7.491484] ? alloc_page_interleave+0x91/0x1c0 [ 7.491484] ? alloc_pages_current+0x10f/0x210 [ 7.491484] ? __page_cache_alloc+0x19c/0x620 [ 7.491484] ? __filemap_set_wb_err+0x3f0/0x3f0 [ 7.491484] blkdev_readpage+0x1d/0x30 [ 7.491484] do_read_cache_page+0x796/0x16a0 [ 7.491484] ? blkdev_writepages+0x30/0x30 [ 7.491484] ? grab_cache_page_write_begin+0xb0/0xb0 [ 7.491484] ? mark_held_locks+0xb1/0x100 [ 7.491484] ? mark_held_locks+0x100/0x100 [ 7.491484] ? depot_save_stack+0x1de/0x460 [ 7.491484] ? trace_hardirqs_off_caller+0x300/0x300 [ 7.491484] ? do_raw_spin_trylock+0x270/0x270 [ 7.491484] ? __lock_is_held+0xb6/0x140 [ 7.491484] ? add_lock_to_list.isra.0+0x450/0x450 [ 7.491484] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 7.491484] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 7.491484] ? check_preemption_disabled+0x48/0x290 [ 7.491484] ? add_lock_to_list.isra.0+0x450/0x450 [ 7.491484] ? __lock_is_held+0xb6/0x140 [ 7.491484] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 7.491484] ? widen_string+0xe0/0x2e0 [ 7.491484] ? blkdev_writepages+0x30/0x30 [ 7.491484] read_cache_page+0x5e/0x70 [ 7.491484] read_dev_sector+0x12c/0x510 [ 7.491484] ? __delete_partition+0x210/0x210 [ 7.491484] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 7.491484] ? format_decode+0x227/0xb00 [ 7.491484] ? enable_ptr_key_workfn+0x30/0x30 [ 7.491484] ? adfspart_check_ADFS+0x9c0/0x9c0 [ 7.491484] adfspart_check_ICS+0x153/0xfb0 [ 7.491484] ? memcpy+0x46/0x50 [ 7.491484] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 7.491484] ? adfspart_check_ADFS+0x9c0/0x9c0 [ 7.491484] ? pointer+0x930/0x930 [ 7.491484] ? snprintf+0xbb/0xf0 [ 7.491484] ? vsprintf+0x40/0x40 [ 7.491484] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 7.491484] ? adfspart_check_ADFS+0x9c0/0x9c0 [ 7.491484] check_partition+0x3be/0x6d0 [ 7.491484] ? __sanitizer_cov_trace_cmp8+0x18/0x20 [ 7.491484] rescan_partitions+0x187/0x970 [ 7.491484] ? up_write+0x7b/0x230 [ 7.491484] ? set_init_blocksize+0x1ac/0x260 [ 7.491484] __blkdev_get+0xda1/0x1560 [ 7.491484] ? blkdev_get_block+0xc0/0xc0 [ 7.491484] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 7.491484] blkdev_get+0xc1/0xae0 [ 7.491484] ? unlock_new_inode+0xfa/0x140 [ 7.491484] ? bdget+0xfe/0x600 [ 7.491484] ? bdget+0x600/0x600 [ 7.491484] ? refcount_dec_and_test_checked+0x1b/0x20 [ 7.491484] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 7.491484] ? kobject_put+0x84/0xe0 [ 7.491484] ? put_device+0x25/0x30 [ 7.491484] __device_add_disk+0xe5e/0x13c0 [ 7.491484] ? blk_alloc_devt+0x2e0/0x2e0 [ 7.491484] ? sprintf+0xc0/0x100 [ 7.491484] ? scnprintf+0x140/0x140 [ 7.491484] ? disk_expand_part_tbl+0x3d0/0x3d0 [ 7.491484] ? lockdep_init_map+0x10c/0x5b0 [ 7.491484] device_add_disk+0x2b/0x40 [ 7.491484] brd_init+0x2e9/0x3fa [ 7.491484] ? ramdisk_size+0x2a/0x2a [ 7.491484] ? ramdisk_size+0x2a/0x2a [ 7.491484] ? ramdisk_size+0x2a/0x2a [ 7.491484] do_one_initcall+0x129/0x937 [ 7.491484] ? perf_trace_initcall_level+0x750/0x750 [ 7.491484] ? rcu_read_lock_sched_held+0x110/0x130 [ 7.491484] ? trace_initcall_level+0x2d5/0x321 [ 7.491484] ? arch_local_irq_restore+0x56/0x56 [ 7.491484] ? down_write_nested+0x130/0x130 [ 7.491484] ? down_read+0x120/0x120 [ 7.491484] ? kasan_unpoison_shadow+0x35/0x50 [ 7.491484] kernel_init_freeable+0x4d5/0x5c4 [ 7.491484] ? rest_init+0x37b/0x37b [ 7.491484] kernel_init+0x12/0x1c5 [ 7.491484] ret_from_fork+0x3a/0x50 [ 7.491484] [ 7.491484] Allocated by task 1: [ 7.491484] save_stack+0x45/0xd0 [ 7.491484] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 7.491484] kasan_slab_alloc+0xf/0x20 [ 7.491484] kmem_cache_alloc+0x12d/0x710 [ 7.491484] mempool_alloc_slab+0x47/0x60 [ 7.491484] mempool_alloc+0x19f/0x500 [ 7.491484] bio_alloc_bioset+0x3c1/0x720 [ 7.491484] submit_bh_wbc+0x133/0x7f0 [ 7.491484] block_read_full_page+0x946/0xfe0 [ 7.491484] blkdev_readpage+0x1d/0x30 [ 7.491484] do_read_cache_page+0x796/0x16a0 [ 7.491484] read_cache_page+0x5e/0x70 [ 7.491484] read_dev_sector+0x12c/0x510 [ 7.491484] adfspart_check_ICS+0x153/0xfb0 [ 7.491484] check_partition+0x3be/0x6d0 [ 7.491484] rescan_partitions+0x187/0x970 [ 7.491484] __blkdev_get+0xda1/0x1560 [ 7.491484] blkdev_get+0xc1/0xae0 [ 7.491484] __device_add_disk+0xe5e/0x13c0 [ 7.491484] device_add_disk+0x2b/0x40 [ 7.491484] brd_init+0x2e9/0x3fa [ 7.491484] do_one_initcall+0x129/0x937 [ 7.491484] kernel_init_freeable+0x4d5/0x5c4 [ 7.491484] kernel_init+0x12/0x1c5 [ 7.491484] ret_from_fork+0x3a/0x50 [ 7.491484] [ 7.491484] Freed by task 1: [ 7.491484] save_stack+0x45/0xd0 [ 7.491484] __kasan_slab_free+0x102/0x150 [ 7.491484] kasan_slab_free+0xe/0x10 [ 7.491484] kmem_cache_free+0x86/0x260 [ 7.491484] mempool_free_slab+0x1e/0x30 [ 7.491484] mempool_free+0xed/0x380 [ 7.491484] bio_free+0x324/0x570 [ 7.491484] bio_put+0x17a/0x1f0 [ 7.491484] end_bio_bh_io_sync+0xfb/0x140 [ 7.491484] bio_endio+0x840/0xfb0 [ 7.491484] brd_make_request+0x686/0x95a [ 7.491484] generic_make_request+0x92b/0x1810 [ 7.491484] submit_bio+0xba/0x480 [ 7.491484] submit_bh_wbc+0x5f7/0x7f0 [ 7.491484] block_read_full_page+0x946/0xfe0 [ 7.491484] blkdev_readpage+0x1d/0x30 [ 7.491484] do_read_cache_page+0x796/0x16a0 [ 7.491484] read_cache_page+0x5e/0x70 [ 7.491484] read_dev_sector+0x12c/0x510 [ 7.491484] adfspart_check_ICS+0x153/0xfb0 [ 7.491484] check_partition+0x3be/0x6d0 [ 7.491484] rescan_partitions+0x187/0x970 [ 7.491484] __blkdev_get+0xda1/0x1560 [ 7.491484] blkdev_get+0xc1/0xae0 [ 7.491484] __device_add_disk+0xe5e/0x13c0 [ 7.491484] device_add_disk+0x2b/0x40 [ 7.491484] brd_init+0x2e9/0x3fa [ 7.491484] do_one_initcall+0x129/0x937 [ 7.491484] kernel_init_freeable+0x4d5/0x5c4 [ 7.491484] kernel_init+0x12/0x1c5 [ 7.491484] ret_from_fork+0x3a/0x50 [ 7.491484] [ 7.491484] The buggy address belongs to the object at ffff8880a39618c0 [ 7.491484] which belongs to the cache bio-0 of size 200 [ 7.491484] The buggy address is located 20 bytes inside of [ 7.491484] 200-byte region [ffff8880a39618c0, ffff8880a3961988) [ 7.491484] The buggy address belongs to the page: [ 7.491484] page:ffffea00028e5840 count:1 mapcount:0 mapping:ffff88821bb1ea80 index:0x0 [ 7.491484] flags: 0x1fffc0000000200(slab) [ 7.491484] raw: 01fffc0000000200 ffffea00028e8008 ffff88812c3cf648 ffff88821bb1ea80 [ 7.491484] raw: 0000000000000000 ffff8880a3961000 000000010000000c 0000000000000000 [ 7.491484] page dumped because: kasan: bad access detected [ 7.491484] [ 7.491484] Memory state around the buggy address: [ 7.491484] ffff8880a3961780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 7.491484] ffff8880a3961800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 7.491484] >ffff8880a3961880: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 7.491484] ^ [ 7.491484] ffff8880a3961900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 7.491484] ffff8880a3961980: fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 7.491484] ================================================================== > --- > This bug is generated by a bot. It may contain errors. > See https://goo.gl/tpsmEJ for more information about syzbot. > syzbot engineers can be reached at syzkaller@xxxxxxxxxxxxxxxx. > > syzbot will keep track of this bug report. See: > https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with > syzbot. > > -- > You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group. > To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@xxxxxxxxxxxxxxxx. > To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/00000000000027601e05806bf6be%40google.com. > For more options, visit https://groups.google.com/d/optout.
