问题报告：

BUG: KASAN: use-after-free in ata_scsi_mode_select_xlat+0x12ee/0x1330
Read of size 1 at addr ffff888005024003 by task syz-executor.4/5345

CPU: 0 PID: 5345 Comm: syz-executor.4 Not tainted 4.19.90 #2
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
Call Trace:
dump_stack+0x111/0x19e
print_address_description+0x60/0x223
kasan_report.cold+0xae/0x2d8
ata_scsi_mode_select_xlat+0x12ee/0x1330
ata_scsi_translate+0x30c/0x6e0
ata_scsi_queuecmd+0x358/0x860
scsi_dispatch_cmd+0x35f/0x950
scsi_queue_rq+0x114f/0x1a50
blk_mq_dispatch_rq_list+0x1e2/0x19b0
blk_mq_do_dispatch_sched+0x153/0x3f0
blk_mq_sched_dispatch_requests+0x446/0x6a0
__blk_mq_run_hw_queue+0x14d/0x250
__blk_mq_delay_run_hw_queue+0x47a/0x510
blk_mq_run_hw_queue+0x16b/0x2f0
blk_mq_sched_insert_request+0x367/0x6d0
blk_execute_rq_nowait+0x163/0x2e0
blk_execute_rq+0xd4/0x1ad
sg_scsi_ioctl+0x541/0x800
sg_ioctl+0xee7/0x2760
do_vfs_ioctl+0xcf1/0x12f0
ksys_ioctl+0x9b/0xc0
__x64_sys_ioctl+0x6f/0xb0
do_syscall_64+0xc3/0x520
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x45c479
Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f0686f4dc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f0686f4e6d4 RCX: 000000000045c479
RDX: 0000000020000040 RSI: 0000000000000001 RDI: 0000000000000003
RBP: 000000000076bf20 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 000000000000046d R14: 00000000004c6e1a R15: 000000000076bf2c

Allocated by task 5270:
kasan_kmalloc+0xbf/0xe0
__kmalloc_node_track_caller+0x111/0x350
__kmalloc_reserve.isra.0+0x39/0xe0
__alloc_skb+0xef/0x5b0
alloc_skb_with_frags+0x92/0x560
sock_alloc_send_pskb+0x6b9/0x810
__ip_append_data.isra.0+0x1530/0x2700
ip_append_data.part.0+0xf3/0x180
ip_append_data+0x6f/0x90
icmp_push_reply+0x161/0x4b0
__icmp_send+0xe18/0x14d0
__udp4_lib_rcv+0x1de6/0x28d0
ip_local_deliver_finish+0x268/0xb50
ip_local_deliver+0x1c8/0x4f0
ip_rcv_finish+0xe6/0x1c0
ip_rcv+0xd0/0x3d0
__netif_receive_skb_one_core+0xf7/0x160
__netif_receive_skb+0x27/0x1c0
process_backlog+0x205/0x6c0
net_rx_action+0x3d8/0xd80
__do_softirq+0x225/0x8ac

Freed by task 5270:
__kasan_slab_free+0x129/0x170
kfree+0xe0/0x280
skb_free_head+0x91/0xb0
skb_release_data+0x8e9/0xca0
skb_release_all+0x46/0x60
consume_skb+0xc0/0x2f0
icmp_rcv+0x831/0x1440
ip_local_deliver_finish+0x268/0xb50
ip_local_deliver+0x1c8/0x4f0
ip_rcv_finish+0xe6/0x1c0
ip_rcv+0xd0/0x3d0
__netif_receive_skb_one_core+0xf7/0x160
__netif_receive_skb+0x27/0x1c0
process_backlog+0x205/0x6c0
net_rx_action+0x3d8/0xd80
__do_softirq+0x225/0x8ac

The buggy address belongs to the object at ffff888005024000
which belongs to the cache kmalloc-512 of size 512
The buggy address is located 3 bytes inside of
512-byte region [ffff888005024000, ffff888005024200)
The buggy address belongs to the page:
page:ffffea0000140900 count:1 mapcount:0 mapping:ffff88806cc02500 index:0x0 compound_mapcount: 0
flags: 0x100000000008100(slab|head)
raw: 0100000000008100 ffffea00006b0380 0000000900000009 ffff88806cc02500
raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
ffff888005023f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff888005023f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc

ffff888005024000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888005024080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888005024100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
重现程序：

{Threaded:false Collide:false Repeat:true RepeatTimes:0 Procs:1 Sandbox: Fault:false FaultCall:-1 FaultNth:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false UseTmpDir:false HandleSegv:false Repro:false Trace:false}

r0 = syz_open_dev$sg(&(0x7f00000001c0)='/dev/sg#\x00', 0x0, 0x0)
ioctl$SCSI_IOCTL_SEND_COMMAND(r0, 0x1, &(0x7f0000000040)={0x2b, 0x200, 0x7c15, "2b1927940b08784161ba4fba044f8d42dd9c1a178724113689c56a80e635fc09ab7cfa30e31aa8facd164b"})

Hey @ccoder, Welcome to openEuler Community.
All of the projects in openEuler Community are maintained by @openeuler-ci-bot.
That means the developers can comment below every pull request or issue to trigger Bot Commands.
Please follow instructions at https://gitee.com/openeuler/community/blob/master/en/sig-infrastructure/command.md to find the details.

fixed by:
2d0ee29

GVP openEuler / kernel

内容风险标识

KASAN: use-after-free Read in ata_scsi_mode_select_xlat

问题报告：

评论 (2)

GVPopenEuler / kernel

内容风险标识

KASAN: use-after-free Read in ata_scsi_mode_select_xlat

问题报告：

评论 (2)

搜索帮助

GVP openEuler / kernel