syzbot


KASAN: slab-out-of-bounds Read in process_one_work

Status: auto-obsoleted due to no activity on 2023/01/25 20:05
Subsystems: kernel
[Documentation on labels]
Reported-by: syzbot+83cb0411d0fcf0a30fc1@syzkaller.appspotmail.com
First crash: 715d, last: 715d
Discussions (2)
Title Replies (including bot) Last reply
[PATCH] umh: fix UAF when the process is being killed 17 (17) 2023/01/24 17:39
[PATCH v2] umh: fix out of scope usage when the process is being killed 3 (3) 2022/12/15 05:11
Similar bugs (8)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
android-5-15 KASAN: use-after-free Read in process_one_work missing-backport origin:downstream C unreliable 427 1d13h 711d 0/2 upstream: reported C repro on 2022/10/31 08:36
upstream KMSAN: kernel-infoleak in copyout (2) net C 6723 491d 1660d 22/28 fixed on 2023/06/08 14:41
android-5-10 BUG: corrupted list in process_one_work C error done 25 3d15h 915d 2/2 upstream: reported C repro on 2022/04/10 06:05
upstream KASAN: global-out-of-bounds Read in process_one_work kernel 1 149d 145d 0/28 auto-obsoleted due to no activity on 2024/08/14 00:54
upstream general protection fault in process_one_work (2) kernel 1 1180d 1176d 0/28 auto-closed as invalid on 2021/09/17 12:34
android-6-1 KASAN: use-after-free Read in process_one_work origin:upstream missing-backport C error 566 2h43m 509d 0/2 upstream: reported C repro on 2023/05/21 23:04
upstream KASAN: slab-use-after-free Read in process_one_work kernel 2 398d 401d 0/28 auto-obsoleted due to no activity on 2023/12/08 17:35
android-54 KASAN: use-after-free Read in process_one_work 1 571d 571d 0/2 auto-obsoleted due to no activity on 2023/07/18 18:33

Sample crash report:
==================================================================
BUG: KASAN: slab-out-of-bounds in swake_up_locked kernel/sched/swait.c:29 [inline]
BUG: KASAN: slab-out-of-bounds in complete+0xa8/0x1c0 kernel/sched/completion.c:36
Read of size 8 at addr ffff88801ffcba78 by task kworker/u4:32/11940

CPU: 0 PID: 11940 Comm: kworker/u4:32 Not tainted 6.1.0-rc2-syzkaller-00078-g98555239e4c3 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/11/2022
Workqueue: events_unbound call_usermodehelper_exec_work
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106
 print_address_description+0x74/0x340 mm/kasan/report.c:284
 print_report+0x107/0x220 mm/kasan/report.c:395
 kasan_report+0x139/0x170 mm/kasan/report.c:495
 swake_up_locked kernel/sched/swait.c:29 [inline]
 complete+0xa8/0x1c0 kernel/sched/completion.c:36
 process_one_work+0x81c/0xd10 kernel/workqueue.c:2289
 worker_thread+0xb14/0x1330 kernel/workqueue.c:2436
 kthread+0x266/0x300 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306
 </TASK>

Allocated by task 2:
 kasan_save_stack mm/kasan/common.c:45 [inline]
 kasan_set_track+0x4c/0x70 mm/kasan/common.c:52
 __kasan_slab_alloc+0x65/0x70 mm/kasan/common.c:325
 kasan_slab_alloc include/linux/kasan.h:201 [inline]
 slab_post_alloc_hook mm/slab.h:737 [inline]
 slab_alloc_node mm/slub.c:3398 [inline]
 kmem_cache_alloc_node+0x1ca/0x340 mm/slub.c:3443
 alloc_task_struct_node kernel/fork.c:171 [inline]
 dup_task_struct+0x4e/0x490 kernel/fork.c:966
 copy_process+0x637/0x3fc0 kernel/fork.c:2084
 kernel_clone+0x227/0x640 kernel/fork.c:2671
 kernel_thread+0x150/0x1d0 kernel/fork.c:2731
 create_kthread kernel/kthread.c:399 [inline]
 kthreadd+0x5bc/0x790 kernel/kthread.c:746
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306

The buggy address belongs to the object at ffff88801ffc9d40
 which belongs to the cache task_struct of size 7232
The buggy address is located 248 bytes to the right of
 7232-byte region [ffff88801ffc9d40, ffff88801ffcb980)

The buggy address belongs to the physical page:
page:ffffea00007ff200 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1ffc8
head:ffffea00007ff200 order:3 compound_mapcount:0 compound_pincount:0
memcg:ffff888076124f01
flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000010200 0000000000000000 dead000000000001 ffff8881400073c0
raw: 0000000000000000 0000000000040004 00000001ffffffff ffff888076124f01
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 9, tgid 9 (kworker/u4:0), ts 6883003803, free_ts 0
 prep_new_page mm/page_alloc.c:2538 [inline]
 get_page_from_freelist+0x72b/0x7a0 mm/page_alloc.c:4287
 __alloc_pages+0x259/0x560 mm/page_alloc.c:5554
 alloc_slab_page+0x70/0xf0 mm/slub.c:1794
 allocate_slab+0x5e/0x4b0 mm/slub.c:1939
 new_slab mm/slub.c:1992 [inline]
 ___slab_alloc+0x7f4/0xeb0 mm/slub.c:3180
 __slab_alloc mm/slub.c:3279 [inline]
 slab_alloc_node mm/slub.c:3364 [inline]
 kmem_cache_alloc_node+0x283/0x340 mm/slub.c:3443
 alloc_task_struct_node kernel/fork.c:171 [inline]
 dup_task_struct+0x4e/0x490 kernel/fork.c:966
 copy_process+0x637/0x3fc0 kernel/fork.c:2084
 kernel_clone+0x227/0x640 kernel/fork.c:2671
 user_mode_thread+0x12d/0x190 kernel/fork.c:2747
 call_usermodehelper_exec_work+0x57/0x220 kernel/umh.c:175
 process_one_work+0x81c/0xd10 kernel/workqueue.c:2289
 worker_thread+0xb14/0x1330 kernel/workqueue.c:2436
 kthread+0x266/0x300 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306
page_owner free stack trace missing

Memory state around the buggy address:
 ffff88801ffcb900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff88801ffcb980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88801ffcba00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                                                                ^
 ffff88801ffcba80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff88801ffcbb00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2022/10/27 20:05 upstream 98555239e4c3 86777b7f .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root KASAN: slab-out-of-bounds Read in process_one_work
* Struck through repros no longer work on HEAD.