Re: [syzbot] KASAN: use-after-free Read in hugetlb_fault

From: Mike Kravetz
Date: Mon Oct 24 2022 - 18:19:36 EST


On 10/23/22 15:03, syzbot wrote:
> syzbot has found a reproducer for the following issue on:
>
> HEAD commit: 4d48f589d294 Add linux-next specific files for 20221021
> git tree: linux-next
> console+strace: https://syzkaller.appspot.com/x/log.txt?x=165e09b4880000
> kernel config: https://syzkaller.appspot.com/x/.config?x=2c4b7d600a5739a6
> dashboard link: https://syzkaller.appspot.com/bug?extid=1b27d7a2722eabc2c5d5
> compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1546e96a880000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=123eabd2880000

Thanks for the reproducer!

> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/0c86bd0b39a0/disk-4d48f589.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/074059d37f1f/vmlinux-4d48f589.xz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+1b27d7a2722eabc2c5d5@xxxxxxxxxxxxxxxxxxxxxxxxx
>
> ==================================================================
> BUG: KASAN: use-after-free in instrument_atomic_read include/linux/instrumented.h:72 [inline]
> BUG: KASAN: use-after-free in atomic_long_read include/linux/atomic/atomic-instrumented.h:1265 [inline]
> BUG: KASAN: use-after-free in is_rwsem_reader_owned kernel/locking/rwsem.c:193 [inline]
> BUG: KASAN: use-after-free in __down_read_common kernel/locking/rwsem.c:1262 [inline]
> BUG: KASAN: use-after-free in __down_read_common kernel/locking/rwsem.c:1255 [inline]
> BUG: KASAN: use-after-free in __down_read kernel/locking/rwsem.c:1269 [inline]
> BUG: KASAN: use-after-free in down_read+0x1d3/0x450 kernel/locking/rwsem.c:1511
> Read of size 8 at addr ffff88801263a508 by task syz-executor409/3698

Verified this is indeed addressed with,
https://lore.kernel.org/linux-mm/20221023025047.470646-1-mike.kravetz@xxxxxxxxxx/
--
Mike Kravetz