syzbot

 sign-in | mailing list | source | docs
🐞 Open [677]
🐞 Fixed [94]
🐞 Invalid [514]
Missing Backports [36]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
💬 Send us feedback

KASAN: use-after-free Read in siw_query_port (2)

Status: upstream: reported on 2024/02/09 22:01
Reported-by: syzbot+3abffbfcd33801a21f2f@syzkaller.appspotmail.com
First crash: 285d, last: 2d20h
Similar bugs (4)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-5.15 KASAN: use-after-free Read in siw_query_port (2) 60 4d06h 343d 0/3 upstream: reported on 2023/12/13 22:42
upstream KASAN: slab-use-after-free Read in siw_query_port rdma 50 443d 559d 0/28 auto-obsoleted due to no activity on 2023/11/13 22:18
linux-6.1 KASAN: use-after-free Read in siw_query_port 5 398d 475d 0/3 auto-obsoleted due to no activity on 2024/01/27 18:37
linux-5.15 KASAN: use-after-free Read in siw_query_port 3 489d 515d 0/3 auto-obsoleted due to no activity on 2023/10/29 16:51

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in siw_query_port+0x342/0x430 drivers/infiniband/sw/siw/siw_verbs.c:177
Read of size 4 at addr ffff88805a2140e0 by task kworker/0:1/14

CPU: 0 PID: 14 Comm: kworker/0:1 Not tainted 6.1.118-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Workqueue: infiniband ib_cache_event_task
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:284 [inline]
 print_report+0x15f/0x4f0 mm/kasan/report.c:395
 kasan_report+0x136/0x160 mm/kasan/report.c:495
 siw_query_port+0x342/0x430 drivers/infiniband/sw/siw/siw_verbs.c:177
 ib_cache_update+0x1a8/0xaf0 drivers/infiniband/core/cache.c:1483
 ib_cache_event_task+0xef/0x1e0 drivers/infiniband/core/cache.c:1557
 process_one_work+0x8a9/0x11d0 kernel/workqueue.c:2292
 worker_thread+0xa47/0x1200 kernel/workqueue.c:2439
 kthread+0x28d/0x320 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
 </TASK>

The buggy address belongs to the physical page:
page:ffffea0001688500 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x5a214
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 ffffea00019a4208 ffffea00010d8308 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 2, migratetype Unmovable, gfp_mask 0x546dc0(GFP_USER|__GFP_NOWARN|__GFP_RETRY_MAYFAIL|__GFP_COMP|__GFP_ZERO|__GFP_ACCOUNT), pid 15562, tgid 15559 (syz.1.3217), ts 735503910075, free_ts 1089372690906
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook+0x18d/0x1b0 mm/page_alloc.c:2517
 prep_new_page mm/page_alloc.c:2524 [inline]
 get_page_from_freelist+0x3731/0x38d0 mm/page_alloc.c:4313
 __alloc_pages+0x28d/0x770 mm/page_alloc.c:5589
 __alloc_pages_node include/linux/gfp.h:237 [inline]
 alloc_pages_node include/linux/gfp.h:260 [inline]
 __kmalloc_large_node+0x91/0x1d0 mm/slab_common.c:1077
 __do_kmalloc_node mm/slab_common.c:924 [inline]
 __kmalloc_node+0x111/0x230 mm/slab_common.c:943
 kmalloc_node include/linux/slab.h:583 [inline]
 kvmalloc_node+0x6e/0x180 mm/util.c:581
 kvmalloc include/linux/slab.h:710 [inline]
 kvzalloc include/linux/slab.h:718 [inline]
 alloc_netdev_mqs+0x85/0xeb0 net/core/dev.c:10631
 ieee80211_if_add+0xe67/0x1890 net/mac80211/iface.c:2175
 ieee80211_add_iface+0xd1/0x1d0 net/mac80211/cfg.c:183
 rdev_add_virtual_intf net/wireless/rdev-ops.h:50 [inline]
 _nl80211_new_interface net/wireless/nl80211.c:4267 [inline]
 nl80211_new_interface+0x707/0x1110 net/wireless/nl80211.c:4326
 genl_family_rcv_msg_doit net/netlink/genetlink.c:756 [inline]
 genl_family_rcv_msg net/netlink/genetlink.c:833 [inline]
 genl_rcv_msg+0xc1a/0xf70 net/netlink/genetlink.c:850
 netlink_rcv_skb+0x1cd/0x410 net/netlink/af_netlink.c:2508
 genl_rcv+0x24/0x40 net/netlink/genetlink.c:861
 netlink_unicast_kernel net/netlink/af_netlink.c:1326 [inline]
 netlink_unicast+0x7d8/0x970 net/netlink/af_netlink.c:1352
 netlink_sendmsg+0xa26/0xd60 net/netlink/af_netlink.c:1874
 sock_sendmsg_nosec net/socket.c:718 [inline]
 __sock_sendmsg net/socket.c:730 [inline]
 ____sys_sendmsg+0x5a5/0x8f0 net/socket.c:2519
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1444 [inline]
 free_pcp_prepare mm/page_alloc.c:1494 [inline]
 free_unref_page_prepare+0xf63/0x1120 mm/page_alloc.c:3369
 free_unref_page+0x33/0x3e0 mm/page_alloc.c:3464
 free_large_kmalloc+0xfb/0x190 mm/slab_common.c:913
 device_release+0x91/0x1c0
 kobject_cleanup lib/kobject.c:681 [inline]
 kobject_release lib/kobject.c:712 [inline]
 kref_put include/linux/kref.h:65 [inline]
 kobject_put+0x224/0x460 lib/kobject.c:729
 netdev_run_todo+0xe56/0xf40 net/core/dev.c:10421
 ieee80211_unregister_hw+0xfc/0x290 net/mac80211/main.c:1483
 mac80211_hwsim_del_radio+0x2be/0x4a0 drivers/net/wireless/mac80211_hwsim.c:4683
 hwsim_exit_net+0x5b8/0x660 drivers/net/wireless/mac80211_hwsim.c:5470
 ops_exit_list net/core/net_namespace.c:172 [inline]
 cleanup_net+0x6ce/0xb60 net/core/net_namespace.c:604
 process_one_work+0x8a9/0x11d0 kernel/workqueue.c:2292
 worker_thread+0xa47/0x1200 kernel/workqueue.c:2439
 kthread+0x28d/0x320 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295

Memory state around the buggy address:
 ffff88805a213f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff88805a214000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff88805a214080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                                       ^
 ffff88805a214100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff88805a214180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================

Crashes (199):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2024/11/18 21:31 linux-6.1.y b67dc5c9ade9 e7bb5d6e .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2024/11/18 08:41 linux-6.1.y b67dc5c9ade9 cfe3a04a .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2024/11/17 10:14 linux-6.1.y 59d7b1a7104a cfe3a04a .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2024/11/16 02:55 linux-6.1.y 59d7b1a7104a cfe3a04a .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2024/11/14 23:45 linux-6.1.y 59d7b1a7104a a8c99394 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2024/11/11 21:16 linux-6.1.y d7039b844a1c 0c4b1325 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2024/11/11 02:35 linux-6.1.y d7039b844a1c 6b856513 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2024/11/05 04:38 linux-6.1.y 7c15117f9468 509da429 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2024/11/01 14:46 linux-6.1.y 7c15117f9468 96eb609f .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2024/11/01 13:12 linux-6.1.y 7c15117f9468 96eb609f .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2024/10/30 12:55 linux-6.1.y 7ec6f9fa3d97 fb888278 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2024/10/26 13:59 linux-6.1.y 7ec6f9fa3d97 65e8686b .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2024/10/26 00:01 linux-6.1.y 7ec6f9fa3d97 045e728d .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2024/10/24 18:16 linux-6.1.y 7ec6f9fa3d97 0d144d1a .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2024/10/23 20:28 linux-6.1.y 7ec6f9fa3d97 15fa2979 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2024/10/22 13:33 linux-6.1.y 54d90d17e8ce a93682b3 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2024/10/19 06:08 linux-6.1.y 54d90d17e8ce cd6fc0a3 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2024/10/18 01:13 linux-6.1.y 54d90d17e8ce 666f77ed .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2024/10/16 07:44 linux-6.1.y aa4cd140bba5 bde2d81c .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2024/10/15 21:56 linux-6.1.y aa4cd140bba5 bde2d81c .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2024/10/14 20:52 linux-6.1.y aa4cd140bba5 b01b6661 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2024/10/12 07:05 linux-6.1.y aa4cd140bba5 084d8178 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2024/10/11 20:16 linux-6.1.y aa4cd140bba5 cd942402 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2024/10/10 12:01 linux-6.1.y aa4cd140bba5 0278d004 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2024/10/10 00:17 linux-6.1.y aa4cd140bba5 56fb2cb7 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2024/10/02 20:49 linux-6.1.y aa4cd140bba5 02f9582a .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2024/10/02 18:41 linux-6.1.y aa4cd140bba5 02f9582a .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2024/10/01 11:36 linux-6.1.y aa4cd140bba5 ea2b66a6 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2024/10/01 00:48 linux-6.1.y aa4cd140bba5 bbd4e0a4 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2024/09/30 15:23 linux-6.1.y aa4cd140bba5 bbd4e0a4 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2024/09/28 10:59 linux-6.1.y e526b12bf916 ba29ff75 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2024/09/26 17:30 linux-6.1.y e526b12bf916 9314348a .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2024/09/26 12:07 linux-6.1.y e526b12bf916 0d19f247 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2024/09/25 03:18 linux-6.1.y e526b12bf916 5643e0e9 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2024/09/25 03:16 linux-6.1.y e526b12bf916 5643e0e9 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2024/09/20 15:31 linux-6.1.y e526b12bf916 6f888b75 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2024/09/17 00:31 linux-6.1.y 5f55cad62cc9 c673ca06 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2024/09/11 17:13 linux-6.1.y 5ca5b389fddf 8ab55d0e .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2024/09/11 00:26 linux-6.1.y 5ca5b389fddf 86aa7bd7 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2024/09/10 11:19 linux-6.1.y 5ca5b389fddf 784df80e .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2024/09/09 18:05 linux-6.1.y 5ca5b389fddf 073f8be2 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2024/09/08 12:09 linux-6.1.y 5ca5b389fddf 9750182a .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2024/09/06 20:40 linux-6.1.y 699506173494 9750182a .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2024/09/06 00:28 linux-6.1.y 699506173494 464ac2ed .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2024/09/05 22:06 linux-6.1.y 699506173494 464ac2ed .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2024/09/04 02:39 linux-6.1.y 311d8503ef9f 326f9c5a .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2024/09/03 06:47 linux-6.1.y 311d8503ef9f 8045124c .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2024/08/31 16:04 linux-6.1.y 311d8503ef9f 1eda0d14 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2024/08/30 14:55 linux-6.1.y 311d8503ef9f ee2602b8 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2024/02/09 22:01 linux-6.1.y f1bb70486c9c 77b23aa1 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2024/06/28 07:58 linux-6.1.y 99e6a620de00 6ef39602 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 KASAN: use-after-free Read in siw_query_port
* Struck through repros no longer work on HEAD.