Re: upstream boot error: can't ssh into the instance (2)

From: Dmitry Vyukov
Date: Sun Jan 27 2019 - 03:05:40 EST


On Sun, Jan 27, 2019 at 9:01 AM syzbot
<syzbot+4df6ca820108fd248943@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
>
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit: 7930851ef10c Merge tag 'scsi-fixes' of git://git.kernel.or..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=1002c77f400000
> kernel config: https://syzkaller.appspot.com/x/.config?x=505743eba4e4f68
> dashboard link: https://syzkaller.appspot.com/bug?extid=4df6ca820108fd248943
> compiler: gcc (GCC) 9.0.0 20181231 (experimental)
>
> Unfortunately, I don't have any reproducer for this crash yet.
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+4df6ca820108fd248943@xxxxxxxxxxxxxxxxxxxxxxxxx


Mainline tree crashes on boot.
+generic_make_request maintainers

[ 7.485069] ==================================================================
[ 7.486411] BUG: KASAN: use-after-free in generic_make_request+0x14dd/0x1810
[ 7.487539] Read of size 2 at addr ffff8880a39618d4 by task swapper/0/1
[ 7.488689]
[ 7.488970] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.0.0-rc3+ #45
[ 7.490025] Hardware name: Google Google Compute Engine/Google
Compute Engine, BIOS Google 01/01/2011
[ 7.491484] Call Trace:
[ 7.491484] dump_stack+0x1db/0x2d0
[ 7.491484] ? dump_stack_print_info.cold+0x20/0x20
[ 7.491484] ? generic_make_request+0x14dd/0x1810
[ 7.491484] print_address_description.cold+0x7c/0x20d
[ 7.491484] ? generic_make_request+0x14dd/0x1810
[ 7.491484] ? generic_make_request+0x14dd/0x1810
[ 7.491484] kasan_report.cold+0x1b/0x40
[ 7.491484] ? generic_make_request+0x14dd/0x1810
[ 7.491484] __asan_report_load2_noabort+0x14/0x20
[ 7.491484] generic_make_request+0x14dd/0x1810
[ 7.491484] ? rcu_dynticks_curr_cpu_in_eqs+0xa2/0x170
[ 7.491484] ? blk_queue_enter+0x1200/0x1200
[ 7.491484] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[ 7.491484] ? check_preemption_disabled+0x48/0x290
[ 7.491484] ? guard_bio_eod+0x1cc/0x630
[ 7.491484] ? find_held_lock+0x35/0x120
[ 7.491484] ? guard_bio_eod+0x1cc/0x630
[ 7.491484] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[ 7.491484] submit_bio+0xba/0x480
[ 7.491484] ? submit_bio+0xba/0x480
[ 7.491484] ? rcu_read_unlock_special+0x380/0x380
[ 7.491484] ? generic_make_request+0x1810/0x1810
[ 7.491484] ? __bio_add_page+0x11e/0x280
[ 7.491484] ? __sanitizer_cov_trace_cmp8+0x18/0x20
[ 7.491484] ? guard_bio_eod+0x293/0x630
[ 7.491484] submit_bh_wbc+0x5f7/0x7f0
[ 7.491484] block_read_full_page+0x946/0xfe0
[ 7.491484] ? check_disk_change+0x140/0x140
[ 7.491484] ? __bread_gfp+0x300/0x300
[ 7.491484] ? __inc_numa_state+0x49/0xe0
[ 7.491484] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[ 7.491484] ? alloc_page_interleave+0x91/0x1c0
[ 7.491484] ? alloc_pages_current+0x10f/0x210
[ 7.491484] ? __page_cache_alloc+0x19c/0x620
[ 7.491484] ? __filemap_set_wb_err+0x3f0/0x3f0
[ 7.491484] blkdev_readpage+0x1d/0x30
[ 7.491484] do_read_cache_page+0x796/0x16a0
[ 7.491484] ? blkdev_writepages+0x30/0x30
[ 7.491484] ? grab_cache_page_write_begin+0xb0/0xb0
[ 7.491484] ? mark_held_locks+0xb1/0x100
[ 7.491484] ? mark_held_locks+0x100/0x100
[ 7.491484] ? depot_save_stack+0x1de/0x460
[ 7.491484] ? trace_hardirqs_off_caller+0x300/0x300
[ 7.491484] ? do_raw_spin_trylock+0x270/0x270
[ 7.491484] ? __lock_is_held+0xb6/0x140
[ 7.491484] ? add_lock_to_list.isra.0+0x450/0x450
[ 7.491484] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[ 7.491484] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[ 7.491484] ? check_preemption_disabled+0x48/0x290
[ 7.491484] ? add_lock_to_list.isra.0+0x450/0x450
[ 7.491484] ? __lock_is_held+0xb6/0x140
[ 7.491484] ? __sanitizer_cov_trace_cmp4+0x16/0x20
[ 7.491484] ? widen_string+0xe0/0x2e0
[ 7.491484] ? blkdev_writepages+0x30/0x30
[ 7.491484] read_cache_page+0x5e/0x70
[ 7.491484] read_dev_sector+0x12c/0x510
[ 7.491484] ? __delete_partition+0x210/0x210
[ 7.491484] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[ 7.491484] ? format_decode+0x227/0xb00
[ 7.491484] ? enable_ptr_key_workfn+0x30/0x30
[ 7.491484] ? adfspart_check_ADFS+0x9c0/0x9c0
[ 7.491484] adfspart_check_ICS+0x153/0xfb0
[ 7.491484] ? memcpy+0x46/0x50
[ 7.491484] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[ 7.491484] ? adfspart_check_ADFS+0x9c0/0x9c0
[ 7.491484] ? pointer+0x930/0x930
[ 7.491484] ? snprintf+0xbb/0xf0
[ 7.491484] ? vsprintf+0x40/0x40
[ 7.491484] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[ 7.491484] ? adfspart_check_ADFS+0x9c0/0x9c0
[ 7.491484] check_partition+0x3be/0x6d0
[ 7.491484] ? __sanitizer_cov_trace_cmp8+0x18/0x20
[ 7.491484] rescan_partitions+0x187/0x970
[ 7.491484] ? up_write+0x7b/0x230
[ 7.491484] ? set_init_blocksize+0x1ac/0x260
[ 7.491484] __blkdev_get+0xda1/0x1560
[ 7.491484] ? blkdev_get_block+0xc0/0xc0
[ 7.491484] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[ 7.491484] blkdev_get+0xc1/0xae0
[ 7.491484] ? unlock_new_inode+0xfa/0x140
[ 7.491484] ? bdget+0xfe/0x600
[ 7.491484] ? bdget+0x600/0x600
[ 7.491484] ? refcount_dec_and_test_checked+0x1b/0x20
[ 7.491484] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[ 7.491484] ? kobject_put+0x84/0xe0
[ 7.491484] ? put_device+0x25/0x30
[ 7.491484] __device_add_disk+0xe5e/0x13c0
[ 7.491484] ? blk_alloc_devt+0x2e0/0x2e0
[ 7.491484] ? sprintf+0xc0/0x100
[ 7.491484] ? scnprintf+0x140/0x140
[ 7.491484] ? disk_expand_part_tbl+0x3d0/0x3d0
[ 7.491484] ? lockdep_init_map+0x10c/0x5b0
[ 7.491484] device_add_disk+0x2b/0x40
[ 7.491484] brd_init+0x2e9/0x3fa
[ 7.491484] ? ramdisk_size+0x2a/0x2a
[ 7.491484] ? ramdisk_size+0x2a/0x2a
[ 7.491484] ? ramdisk_size+0x2a/0x2a
[ 7.491484] do_one_initcall+0x129/0x937
[ 7.491484] ? perf_trace_initcall_level+0x750/0x750
[ 7.491484] ? rcu_read_lock_sched_held+0x110/0x130
[ 7.491484] ? trace_initcall_level+0x2d5/0x321
[ 7.491484] ? arch_local_irq_restore+0x56/0x56
[ 7.491484] ? down_write_nested+0x130/0x130
[ 7.491484] ? down_read+0x120/0x120
[ 7.491484] ? kasan_unpoison_shadow+0x35/0x50
[ 7.491484] kernel_init_freeable+0x4d5/0x5c4
[ 7.491484] ? rest_init+0x37b/0x37b
[ 7.491484] kernel_init+0x12/0x1c5
[ 7.491484] ret_from_fork+0x3a/0x50
[ 7.491484]
[ 7.491484] Allocated by task 1:
[ 7.491484] save_stack+0x45/0xd0
[ 7.491484] __kasan_kmalloc.constprop.0+0xcf/0xe0
[ 7.491484] kasan_slab_alloc+0xf/0x20
[ 7.491484] kmem_cache_alloc+0x12d/0x710
[ 7.491484] mempool_alloc_slab+0x47/0x60
[ 7.491484] mempool_alloc+0x19f/0x500
[ 7.491484] bio_alloc_bioset+0x3c1/0x720
[ 7.491484] submit_bh_wbc+0x133/0x7f0
[ 7.491484] block_read_full_page+0x946/0xfe0
[ 7.491484] blkdev_readpage+0x1d/0x30
[ 7.491484] do_read_cache_page+0x796/0x16a0
[ 7.491484] read_cache_page+0x5e/0x70
[ 7.491484] read_dev_sector+0x12c/0x510
[ 7.491484] adfspart_check_ICS+0x153/0xfb0
[ 7.491484] check_partition+0x3be/0x6d0
[ 7.491484] rescan_partitions+0x187/0x970
[ 7.491484] __blkdev_get+0xda1/0x1560
[ 7.491484] blkdev_get+0xc1/0xae0
[ 7.491484] __device_add_disk+0xe5e/0x13c0
[ 7.491484] device_add_disk+0x2b/0x40
[ 7.491484] brd_init+0x2e9/0x3fa
[ 7.491484] do_one_initcall+0x129/0x937
[ 7.491484] kernel_init_freeable+0x4d5/0x5c4
[ 7.491484] kernel_init+0x12/0x1c5
[ 7.491484] ret_from_fork+0x3a/0x50
[ 7.491484]
[ 7.491484] Freed by task 1:
[ 7.491484] save_stack+0x45/0xd0
[ 7.491484] __kasan_slab_free+0x102/0x150
[ 7.491484] kasan_slab_free+0xe/0x10
[ 7.491484] kmem_cache_free+0x86/0x260
[ 7.491484] mempool_free_slab+0x1e/0x30
[ 7.491484] mempool_free+0xed/0x380
[ 7.491484] bio_free+0x324/0x570
[ 7.491484] bio_put+0x17a/0x1f0
[ 7.491484] end_bio_bh_io_sync+0xfb/0x140
[ 7.491484] bio_endio+0x840/0xfb0
[ 7.491484] brd_make_request+0x686/0x95a
[ 7.491484] generic_make_request+0x92b/0x1810
[ 7.491484] submit_bio+0xba/0x480
[ 7.491484] submit_bh_wbc+0x5f7/0x7f0
[ 7.491484] block_read_full_page+0x946/0xfe0
[ 7.491484] blkdev_readpage+0x1d/0x30
[ 7.491484] do_read_cache_page+0x796/0x16a0
[ 7.491484] read_cache_page+0x5e/0x70
[ 7.491484] read_dev_sector+0x12c/0x510
[ 7.491484] adfspart_check_ICS+0x153/0xfb0
[ 7.491484] check_partition+0x3be/0x6d0
[ 7.491484] rescan_partitions+0x187/0x970
[ 7.491484] __blkdev_get+0xda1/0x1560
[ 7.491484] blkdev_get+0xc1/0xae0
[ 7.491484] __device_add_disk+0xe5e/0x13c0
[ 7.491484] device_add_disk+0x2b/0x40
[ 7.491484] brd_init+0x2e9/0x3fa
[ 7.491484] do_one_initcall+0x129/0x937
[ 7.491484] kernel_init_freeable+0x4d5/0x5c4
[ 7.491484] kernel_init+0x12/0x1c5
[ 7.491484] ret_from_fork+0x3a/0x50
[ 7.491484]
[ 7.491484] The buggy address belongs to the object at ffff8880a39618c0
[ 7.491484] which belongs to the cache bio-0 of size 200
[ 7.491484] The buggy address is located 20 bytes inside of
[ 7.491484] 200-byte region [ffff8880a39618c0, ffff8880a3961988)
[ 7.491484] The buggy address belongs to the page:
[ 7.491484] page:ffffea00028e5840 count:1 mapcount:0
mapping:ffff88821bb1ea80 index:0x0
[ 7.491484] flags: 0x1fffc0000000200(slab)
[ 7.491484] raw: 01fffc0000000200 ffffea00028e8008 ffff88812c3cf648
ffff88821bb1ea80
[ 7.491484] raw: 0000000000000000 ffff8880a3961000 000000010000000c
0000000000000000
[ 7.491484] page dumped because: kasan: bad access detected
[ 7.491484]
[ 7.491484] Memory state around the buggy address:
[ 7.491484] ffff8880a3961780: fc fc fc fc fc fc fc fc fc fc fc fc
fc fc fc fc
[ 7.491484] ffff8880a3961800: fc fc fc fc fc fc fc fc fc fc fc fc
fc fc fc fc
[ 7.491484] >ffff8880a3961880: fc fc fc fc fc fc fc fc fb fb fb fb
fb fb fb fb
[ 7.491484] ^
[ 7.491484] ffff8880a3961900: fb fb fb fb fb fb fb fb fb fb fb fb
fb fb fb fb
[ 7.491484] ffff8880a3961980: fb fc fc fc fc fc fc fc fc fc fc fc
fc fc fc fc
[ 7.491484] ==================================================================


> ---
> This bug is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@xxxxxxxxxxxxxxxxx
>
> syzbot will keep track of this bug report. See:
> https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
> syzbot.
>
> --
> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@xxxxxxxxxxxxxxxxx
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/00000000000027601e05806bf6be%40google.com.
> For more options, visit https://groups.google.com/d/optout.