syzbot

 sign-in | mailing list | source | docs
🐞 Open [106]
🐞 Fixed [1]
🐞 Invalid [117]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
💬 Send us feedback

KASAN: use-after-free Write in enqueue_timer

Status: upstream: reported on 2024/07/25 13:16
Reported-by: syzbot+092cf816f02f1a8a8f2e@syzkaller.appspotmail.com
First crash: 158d, last: 4d21h
Similar bugs (5)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
android-54 KASAN: use-after-free Write in enqueue_timer C 4288 140d 647d 0/2 auto-obsoleted due to no activity on 2024/09/11 16:22
upstream KASAN: use-after-free Write in enqueue_timer net 1 737d 737d 22/28 fixed on 2023/02/24 13:50
android-5-15 KASAN: use-after-free Write in enqueue_timer 1 308d 308d 0/2 auto-obsoleted due to no activity on 2024/04/17 12:01
upstream KASAN: slab-use-after-free Write in enqueue_timer net 18 555d 570d 0/28 auto-obsoleted due to no activity on 2023/08/22 15:17
upstream KASAN: invalid-access Write in enqueue_timer ext4 20 1352d 1374d 0/28 auto-closed as invalid on 2021/07/08 00:48

Sample crash report:
EXT4-fs error (device loop0): ext4_add_entry:2484: inode #2: comm syz.0.385: Directory hole found for htree leaf block 0
==================================================================
BUG: KASAN: use-after-free in hlist_add_head include/linux/list.h:930 [inline]
BUG: KASAN: use-after-free in enqueue_timer+0xa6/0x480 kernel/time/timer.c:611
Write of size 8 at addr ffff88811b1484c0 by task syz.0.385/1893

CPU: 1 PID: 1893 Comm: syz.0.385 Not tainted 6.1.112-syzkaller-00017-gdefe0024cfb0 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/30/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x151/0x1b7 lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:316 [inline]
 print_report+0x158/0x4e0 mm/kasan/report.c:427
 kasan_report+0x13c/0x170 mm/kasan/report.c:531
 __asan_report_store8_noabort+0x17/0x20 mm/kasan/report_generic.c:356
 hlist_add_head include/linux/list.h:930 [inline]
 enqueue_timer+0xa6/0x480 kernel/time/timer.c:611
 internal_add_timer kernel/time/timer.c:640 [inline]
 __mod_timer+0x8d3/0xcf0 kernel/time/timer.c:1121
 mod_timer+0x1f/0x30 kernel/time/timer.c:1172
 ext4_update_super+0xa41/0xe50 fs/ext4/super.c:6066
 ext4_commit_super+0xe3/0x4b0 fs/ext4/super.c:6085
 ext4_handle_error+0x5e1/0x890 fs/ext4/super.c:678
 __ext4_error_inode+0x327/0x5e0 fs/ext4/super.c:810
 __ext4_read_dirblock+0x1a9/0x8e0
 ext4_add_entry+0x743/0xed0 fs/ext4/namei.c:2484
 ext4_add_nondir+0x97/0x290 fs/ext4/namei.c:2843
 ext4_mknod+0x37d/0x560 fs/ext4/namei.c:2923
 vfs_mknod+0x472/0x500 fs/namei.c:3986
 do_mknodat+0x36b/0x5c0
 __do_sys_mknodat fs/namei.c:4064 [inline]
 __se_sys_mknodat fs/namei.c:4061 [inline]
 __x64_sys_mknodat+0xa9/0xc0 fs/namei.c:4061
 x64_sys_call+0x6cd/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:260
 do_syscall_x64 arch/x86/entry/common.c:51 [inline]
 do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:81
 entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7fa9ccb7e719
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fa9cc9ff038 EFLAGS: 00000246 ORIG_RAX: 0000000000000103
RAX: ffffffffffffffda RBX: 00007fa9ccd35f80 RCX: 00007fa9ccb7e719
RDX: b0a54e68b1cd2fdb RSI: 0000000020000040 RDI: ffffffffffffff9c
RBP: 00007fa9ccbf175e R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000103 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007fa9ccd35f80 R15: 00007ffd59cddb08
 </TASK>

Allocated by task 1584:
 kasan_save_stack mm/kasan/common.c:45 [inline]
 kasan_set_track+0x4b/0x70 mm/kasan/common.c:52
 kasan_save_alloc_info+0x1f/0x30 mm/kasan/generic.c:505
 ____kasan_kmalloc mm/kasan/common.c:379 [inline]
 __kasan_kmalloc+0x9c/0xb0 mm/kasan/common.c:388
 kasan_kmalloc include/linux/kasan.h:212 [inline]
 kmalloc_trace+0x44/0xa0 mm/slab_common.c:1033
 kmalloc include/linux/slab.h:557 [inline]
 kzalloc include/linux/slab.h:693 [inline]
 ext4_alloc_sbi fs/ext4/super.c:4264 [inline]
 ext4_fill_super+0x102/0x8460 fs/ext4/super.c:5638
 get_tree_bdev+0x440/0x680 fs/super.c:1368
 ext4_get_tree+0x1c/0x20 fs/ext4/super.c:5681
 vfs_get_tree+0x88/0x290 fs/super.c:1575
 do_new_mount+0x2ba/0xb30 fs/namespace.c:3051
 path_mount+0x671/0x1070 fs/namespace.c:3381
 do_mount fs/namespace.c:3394 [inline]
 __do_sys_mount fs/namespace.c:3602 [inline]
 __se_sys_mount+0x2c4/0x3b0 fs/namespace.c:3579
 __x64_sys_mount+0xbf/0xd0 fs/namespace.c:3579
 x64_sys_call+0x49d/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:166
 do_syscall_x64 arch/x86/entry/common.c:51 [inline]
 do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:81
 entry_SYSCALL_64_after_hwframe+0x68/0xd2

Freed by task 1539:
 kasan_save_stack mm/kasan/common.c:45 [inline]
 kasan_set_track+0x4b/0x70 mm/kasan/common.c:52
 kasan_save_free_info+0x2b/0x40 mm/kasan/generic.c:516
 ____kasan_slab_free+0x131/0x180 mm/kasan/common.c:241
 __kasan_slab_free+0x11/0x20 mm/kasan/common.c:249
 kasan_slab_free include/linux/kasan.h:178 [inline]
 slab_free_hook mm/slub.c:1745 [inline]
 slab_free_freelist_hook mm/slub.c:1771 [inline]
 slab_free mm/slub.c:3684 [inline]
 __kmem_cache_free+0x218/0x3b0 mm/slub.c:3697
 kfree+0x7a/0xf0 mm/slab_common.c:990
 ext4_put_super+0x9e5/0xd60 fs/ext4/super.c:1312
 generic_shutdown_super+0x14f/0x370 fs/super.c:503
 kill_block_super+0x7e/0xe0 fs/super.c:1472
 deactivate_locked_super+0xad/0x110 fs/super.c:334
 deactivate_super+0xbe/0xf0 fs/super.c:365
 cleanup_mnt+0x485/0x510 fs/namespace.c:1186
 __cleanup_mnt+0x19/0x20 fs/namespace.c:1193
 task_work_run+0x24d/0x2e0 kernel/task_work.c:203
 exit_task_work include/linux/task_work.h:39 [inline]
 do_exit+0xbd5/0x2b80 kernel/exit.c:877
 do_group_exit+0x21a/0x2d0 kernel/exit.c:1027
 __do_sys_exit_group kernel/exit.c:1038 [inline]
 __se_sys_exit_group kernel/exit.c:1036 [inline]
 __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1036
 x64_sys_call+0x610/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:232
 do_syscall_x64 arch/x86/entry/common.c:51 [inline]
 do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:81
 entry_SYSCALL_64_after_hwframe+0x68/0xd2

The buggy address belongs to the object at ffff88811b148000
 which belongs to the cache kmalloc-4k of size 4096
The buggy address is located 1216 bytes inside of
 4096-byte region [ffff88811b148000, ffff88811b149000)

The buggy address belongs to the physical page:
page:ffffea00046c5200 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88811b14a000 pfn:0x11b148
head:ffffea00046c5200 order:3 compound_mapcount:0 compound_pincount:0
flags: 0x4000000000010200(slab|head|zone=1)
raw: 4000000000010200 ffffea000439e208 ffffea000439b408 ffff888100043380
raw: ffff88811b14a000 0000000000040002 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0x1d20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 884, tgid 884 (syz-executor), ts 60036910955, free_ts 56772224846
 set_page_owner include/linux/page_owner.h:33 [inline]
 post_alloc_hook+0x213/0x220 mm/page_alloc.c:2590
 prep_new_page+0x1b/0x110 mm/page_alloc.c:2597
 get_page_from_freelist+0x2980/0x2a10 mm/page_alloc.c:4439
 __alloc_pages+0x234/0x610 mm/page_alloc.c:5728
 alloc_slab_page+0x6c/0xf0
 allocate_slab mm/slub.c:1962 [inline]
 new_slab+0x90/0x3e0 mm/slub.c:2015
 ___slab_alloc+0x6f9/0xb80 mm/slub.c:3203
 __slab_alloc+0x5d/0xa0 mm/slub.c:3302
 slab_alloc_node mm/slub.c:3387 [inline]
 __kmem_cache_alloc_node+0x1af/0x250 mm/slub.c:3460
 __do_kmalloc_node mm/slab_common.c:937 [inline]
 __kmalloc_node_track_caller+0xa2/0x1e0 mm/slab_common.c:958
 kmemdup+0x29/0x60 mm/util.c:134
 _Z7kmemdupPKvU17pass_object_size0mj include/linux/fortify-string.h:585 [inline]
 __addrconf_sysctl_register+0xad/0x3e0 net/ipv6/addrconf.c:7132
 addrconf_sysctl_register+0x141/0x1a0 net/ipv6/addrconf.c:7197
 ipv6_add_dev+0xbd7/0x11a0 net/ipv6/addrconf.c:453
 addrconf_notify+0x6d2/0xe10 net/ipv6/addrconf.c:3601
 notifier_call_chain kernel/notifier.c:87 [inline]
 raw_notifier_call_chain+0x8c/0xf0 kernel/notifier.c:455
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:26 [inline]
 free_pages_prepare mm/page_alloc.c:1498 [inline]
 free_pcp_prepare mm/page_alloc.c:1572 [inline]
 free_unref_page_prepare+0x83d/0x850 mm/page_alloc.c:3511
 free_unref_page+0xb2/0x5c0 mm/page_alloc.c:3607
 free_the_page mm/page_alloc.c:798 [inline]
 __free_pages+0x61/0xf0 mm/page_alloc.c:5817
 __free_slab+0xce/0x1a0 mm/slub.c:2039
 free_slab mm/slub.c:2054 [inline]
 discard_slab mm/slub.c:2060 [inline]
 __unfreeze_partials+0x165/0x1a0 mm/slub.c:2609
 put_cpu_partial+0xa9/0x100 mm/slub.c:2685
 __slab_free+0x1c8/0x280 mm/slub.c:3561
 do_slab_free mm/slub.c:3638 [inline]
 ___cache_free+0xc6/0xd0 mm/slub.c:3691
 qlink_free mm/kasan/quarantine.c:168 [inline]
 qlist_free_all+0xc5/0x140 mm/kasan/quarantine.c:187
 kasan_quarantine_reduce+0x15a/0x180 mm/kasan/quarantine.c:294
 __kasan_slab_alloc+0x24/0x80 mm/kasan/common.c:310
 kasan_slab_alloc include/linux/kasan.h:202 [inline]
 slab_post_alloc_hook+0x53/0x2c0 mm/slab.h:768
 slab_alloc_node mm/slub.c:3421 [inline]
 kmem_cache_alloc_node+0x18a/0x2d0 mm/slub.c:3466
 __alloc_skb+0xcc/0x2d0 net/core/skbuff.c:505
 alloc_skb include/linux/skbuff.h:1290 [inline]
 alloc_skb_with_frags+0xa6/0x680 net/core/skbuff.c:6162
 sock_alloc_send_pskb+0x915/0xa50 net/core/sock.c:2753

Memory state around the buggy address:
 ffff88811b148380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88811b148400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88811b148480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                           ^
 ffff88811b148500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88811b148580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
EXT4-fs error (device loop0): ext4_add_entry:2484: inode #2: comm syz.0.385: Directory hole found for htree leaf block 0

Crashes (25):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2024/11/16 18:11 android14-6.1 defe0024cfb0 cfe3a04a .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-6-1 KASAN: use-after-free Write in enqueue_timer
2024/11/11 06:44 android14-6.1 eef3d33656ce 6b856513 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-6-1 KASAN: use-after-free Write in enqueue_timer
2024/11/06 13:42 android14-6.1 976b055754d7 3a465482 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-6-1 KASAN: use-after-free Write in enqueue_timer
2024/10/27 07:49 android14-6.1 a874ed06eb34 65e8686b .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-6-1 KASAN: use-after-free Write in enqueue_timer
2024/09/24 09:03 android14-6.1 2cd8ac816de5 89298aad .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-6-1 KASAN: use-after-free Write in enqueue_timer
2024/08/20 17:39 android14-6.1 edca080b95df 9f0ab3fb .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-6-1 KASAN: use-after-free Write in enqueue_timer
2024/08/16 06:56 android14-6.1 d6a513a78492 e4bacdaf .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-6-1 KASAN: use-after-free Write in enqueue_timer
2024/08/15 06:36 android14-6.1 64b0e0b28508 e4bacdaf .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-6-1 KASAN: use-after-free Write in enqueue_timer
2024/08/14 08:03 android14-6.1 660e1a26952b 07a4d4ad .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-6-1 KASAN: use-after-free Write in enqueue_timer
2024/08/13 13:36 android14-6.1 79436849ef1d f21a18ca .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-6-1 KASAN: use-after-free Write in enqueue_timer
2024/08/08 02:22 android14-6.1 1bb38f786569 de12cf65 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-6-1 KASAN: use-after-free Write in enqueue_timer
2024/08/08 02:22 android14-6.1 1bb38f786569 de12cf65 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-6-1 KASAN: use-after-free Write in enqueue_timer
2024/08/07 12:20 android14-6.1 1bb38f786569 1ef9fe42 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-6-1 KASAN: use-after-free Write in enqueue_timer
2024/08/06 17:57 android14-6.1 1bb38f786569 1ef9fe42 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-6-1 KASAN: use-after-free Write in enqueue_timer
2024/08/06 14:48 android14-6.1 37391192a93a 1ef9fe42 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-6-1 KASAN: use-after-free Write in enqueue_timer
2024/08/06 09:22 android14-6.1 37391192a93a e1bdb00a .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-6-1 KASAN: use-after-free Write in enqueue_timer
2024/08/06 09:16 android14-6.1 37391192a93a e1bdb00a .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-6-1 KASAN: use-after-free Write in enqueue_timer
2024/08/06 08:58 android14-6.1 37391192a93a e1bdb00a .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-6-1 KASAN: use-after-free Write in enqueue_timer
2024/08/05 05:32 android14-6.1 6aafd06a463b 1786a2a8 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-6-1 KASAN: use-after-free Write in enqueue_timer
2024/08/03 23:59 android14-6.1 6aafd06a463b 1786a2a8 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-6-1 KASAN: use-after-free Write in enqueue_timer
2024/07/20 07:38 android14-6.1 6d6afa9d3f8f b88348e9 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-6-1 KASAN: use-after-free Write in enqueue_timer
2024/07/18 13:19 android14-6.1 fc94b39f6687 71884c12 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-6-1 KASAN: use-after-free Write in enqueue_timer
2024/07/16 17:19 android14-6.1 4965ad067b76 b66b37bd .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-6-1 KASAN: use-after-free Write in enqueue_timer
2024/06/17 10:01 android14-6.1 c0618d182a9c 88722c0f .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-6-1 KASAN: use-after-free Write in enqueue_timer
2024/06/16 14:57 android14-6.1 25216be1ac5e f429ab00 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-6-1 KASAN: use-after-free Write in enqueue_timer
* Struck through repros no longer work on HEAD.