syzbot


KASAN: use-after-free Read in siw_query_port (2)

Status: upstream: reported on 2024/02/09 22:01
Reported-by: syzbot+3abffbfcd33801a21f2f@syzkaller.appspotmail.com
First crash: 126d, last: 16h18m
Similar bugs (4)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-5.15 KASAN: use-after-free Read in siw_query_port (2) 15 2d11h 184d 0/3 upstream: reported on 2023/12/13 22:42
upstream KASAN: slab-use-after-free Read in siw_query_port rdma 50 284d 400d 0/27 auto-obsoleted due to no activity on 2023/11/13 22:18
linux-6.1 KASAN: use-after-free Read in siw_query_port 5 239d 316d 0/3 auto-obsoleted due to no activity on 2024/01/27 18:37
linux-5.15 KASAN: use-after-free Read in siw_query_port 3 330d 356d 0/3 auto-obsoleted due to no activity on 2023/10/29 16:51

Sample crash report:
netdevsim0 speed is unknown, defaulting to 1000
==================================================================
BUG: KASAN: use-after-free in siw_query_port+0x342/0x430 drivers/infiniband/sw/siw/siw_verbs.c:177
Read of size 4 at addr ffff88807b9200e0 by task kworker/0:3/3614

CPU: 0 PID: 3614 Comm: kworker/0:3 Not tainted 6.1.93-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
Workqueue: infiniband ib_cache_event_task
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:284 [inline]
 print_report+0x15f/0x4f0 mm/kasan/report.c:395
 kasan_report+0x136/0x160 mm/kasan/report.c:495
 siw_query_port+0x342/0x430 drivers/infiniband/sw/siw/siw_verbs.c:177
 ib_cache_update+0x1a8/0xaf0 drivers/infiniband/core/cache.c:1487
 ib_cache_event_task+0xef/0x1e0 drivers/infiniband/core/cache.c:1561
 process_one_work+0x8a9/0x11d0 kernel/workqueue.c:2292
 worker_thread+0xa47/0x1200 kernel/workqueue.c:2439
 kthread+0x28d/0x320 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308
 </TASK>

Allocated by task 6219:
 kasan_save_stack mm/kasan/common.c:45 [inline]
 kasan_set_track+0x4b/0x70 mm/kasan/common.c:52
 ____kasan_kmalloc mm/kasan/common.c:374 [inline]
 __kasan_kmalloc+0x97/0xb0 mm/kasan/common.c:383
 kasan_kmalloc include/linux/kasan.h:211 [inline]
 __do_kmalloc_node mm/slab_common.c:955 [inline]
 __kmalloc_node+0xb3/0x230 mm/slab_common.c:962
 kmalloc_node include/linux/slab.h:582 [inline]
 kvmalloc_node+0x6e/0x180 mm/util.c:581
 kvmalloc include/linux/slab.h:709 [inline]
 kvzalloc include/linux/slab.h:717 [inline]
 alloc_netdev_mqs+0x85/0xeb0 net/core/dev.c:10623
 nsim_create+0x78/0x3f0 drivers/net/netdevsim/netdev.c:350
 __nsim_dev_port_add+0x6ba/0xb10 drivers/net/netdevsim/dev.c:1393
 nsim_dev_port_add_all+0x33/0xe0 drivers/net/netdevsim/dev.c:1451
 nsim_drv_probe+0x80e/0xb20 drivers/net/netdevsim/dev.c:1605
 really_probe+0x2ab/0xcb0 drivers/base/dd.c:639
 __driver_probe_device+0x1a2/0x3d0 drivers/base/dd.c:785
 driver_probe_device+0x50/0x420 drivers/base/dd.c:815
 __device_attach_driver+0x2cf/0x510 drivers/base/dd.c:943
 bus_for_each_drv+0x183/0x200 drivers/base/bus.c:427
 __device_attach+0x359/0x570 drivers/base/dd.c:1015
 bus_probe_device+0xba/0x1e0 drivers/base/bus.c:487
 device_add+0xb48/0xfd0 drivers/base/core.c:3686
 nsim_bus_dev_new drivers/net/netdevsim/bus.c:290 [inline]
 new_device_store+0x3e5/0x800 drivers/net/netdevsim/bus.c:167
 kernfs_fop_write_iter+0x3a2/0x4f0 fs/kernfs/file.c:330
 call_write_iter include/linux/fs.h:2265 [inline]
 new_sync_write fs/read_write.c:491 [inline]
 vfs_write+0x7ae/0xba0 fs/read_write.c:584
 ksys_write+0x19c/0x2c0 fs/read_write.c:637
 do_syscall_x64 arch/x86/entry/common.c:51 [inline]
 do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:81
 entry_SYSCALL_64_after_hwframe+0x68/0xd2

Freed by task 5394:
 kasan_save_stack mm/kasan/common.c:45 [inline]
 kasan_set_track+0x4b/0x70 mm/kasan/common.c:52
 kasan_save_free_info+0x27/0x40 mm/kasan/generic.c:516
 ____kasan_slab_free+0xd6/0x120 mm/kasan/common.c:236
 kasan_slab_free include/linux/kasan.h:177 [inline]
 slab_free_hook mm/slub.c:1724 [inline]
 slab_free_freelist_hook mm/slub.c:1750 [inline]
 slab_free mm/slub.c:3661 [inline]
 __kmem_cache_free+0x25c/0x3c0 mm/slub.c:3674
 device_release+0x91/0x1c0
 kobject_cleanup lib/kobject.c:681 [inline]
 kobject_release lib/kobject.c:712 [inline]
 kref_put include/linux/kref.h:65 [inline]
 kobject_put+0x224/0x460 lib/kobject.c:729
 __nsim_dev_port_del+0x153/0x1b0 drivers/net/netdevsim/dev.c:1430
 nsim_dev_port_del_all drivers/net/netdevsim/dev.c:1442 [inline]
 nsim_dev_reload_destroy+0x286/0x490 drivers/net/netdevsim/dev.c:1659
 nsim_dev_reload_down+0x94/0xc0 drivers/net/netdevsim/dev.c:965
 devlink_reload+0x1eb/0x6a0 net/devlink/leftover.c:4492
 devlink_pernet_pre_exit+0x14e/0x2c0 net/devlink/leftover.c:12521
 ops_pre_exit_list net/core/net_namespace.c:162 [inline]
 cleanup_net+0x59c/0xb60 net/core/net_namespace.c:592
 process_one_work+0x8a9/0x11d0 kernel/workqueue.c:2292
 worker_thread+0xa47/0x1200 kernel/workqueue.c:2439
 kthread+0x28d/0x320 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308

The buggy address belongs to the object at ffff88807b920000
 which belongs to the cache kmalloc-cg-8k of size 8192
The buggy address is located 224 bytes inside of
 8192-byte region [ffff88807b920000, ffff88807b922000)

The buggy address belongs to the physical page:
page:ffffea0001ee4800 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7b920
head:ffffea0001ee4800 order:3 compound_mapcount:0 compound_pincount:0
memcg:ffff888056989761
flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000010200 dead000000000100 dead000000000122 ffff88801244c3c0
raw: 0000000000000000 0000000000020002 00000001ffffffff ffff888056989761
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0x1d60c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_RETRY_MAYFAIL|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 4180, tgid 4180 (kworker/u4:11), ts 99839523136, free_ts 99759580445
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook+0x18d/0x1b0 mm/page_alloc.c:2513
 prep_new_page mm/page_alloc.c:2520 [inline]
 get_page_from_freelist+0x31a1/0x3320 mm/page_alloc.c:4279
 __alloc_pages+0x28d/0x770 mm/page_alloc.c:5547
 alloc_slab_page+0x6a/0x150 mm/slub.c:1794
 allocate_slab mm/slub.c:1939 [inline]
 new_slab+0x84/0x2d0 mm/slub.c:1992
 ___slab_alloc+0xc20/0x1270 mm/slub.c:3180
 __slab_alloc mm/slub.c:3279 [inline]
 slab_alloc_node mm/slub.c:3364 [inline]
 __kmem_cache_alloc_node+0x19f/0x260 mm/slub.c:3437
 __do_kmalloc_node mm/slab_common.c:954 [inline]
 __kmalloc_node+0xa2/0x230 mm/slab_common.c:962
 kmalloc_node include/linux/slab.h:582 [inline]
 kvmalloc_node+0x6e/0x180 mm/util.c:581
 kvmalloc include/linux/slab.h:709 [inline]
 kvzalloc include/linux/slab.h:717 [inline]
 alloc_netdev_mqs+0x85/0xeb0 net/core/dev.c:10623
 nsim_create+0x78/0x3f0 drivers/net/netdevsim/netdev.c:350
 __nsim_dev_port_add+0x6ba/0xb10 drivers/net/netdevsim/dev.c:1393
 nsim_dev_port_add_all drivers/net/netdevsim/dev.c:1451 [inline]
 nsim_dev_reload_create drivers/net/netdevsim/dev.c:1503 [inline]
 nsim_dev_reload_up+0x693/0x8e0 drivers/net/netdevsim/dev.c:985
 devlink_reload+0x2a0/0x6a0 net/devlink/leftover.c:4499
 devlink_pernet_pre_exit+0x14e/0x2c0 net/devlink/leftover.c:12521
 ops_pre_exit_list net/core/net_namespace.c:162 [inline]
 cleanup_net+0x59c/0xb60 net/core/net_namespace.c:592
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1440 [inline]
 free_pcp_prepare mm/page_alloc.c:1490 [inline]
 free_unref_page_prepare+0xf63/0x1120 mm/page_alloc.c:3358
 free_unref_page+0x33/0x3e0 mm/page_alloc.c:3453
 free_slab mm/slub.c:2031 [inline]
 discard_slab mm/slub.c:2037 [inline]
 __unfreeze_partials+0x1b7/0x210 mm/slub.c:2586
 put_cpu_partial+0x17b/0x250 mm/slub.c:2662
 qlink_free mm/kasan/quarantine.c:168 [inline]
 qlist_free_all+0x76/0xe0 mm/kasan/quarantine.c:187
 kasan_quarantine_reduce+0x156/0x170 mm/kasan/quarantine.c:294
 __kasan_slab_alloc+0x1f/0x70 mm/kasan/common.c:305
 kasan_slab_alloc include/linux/kasan.h:201 [inline]
 slab_post_alloc_hook+0x52/0x3a0 mm/slab.h:737
 slab_alloc_node mm/slub.c:3398 [inline]
 __kmem_cache_alloc_node+0x137/0x260 mm/slub.c:3437
 kmalloc_trace+0x26/0xe0 mm/slab_common.c:1045
 kmalloc include/linux/slab.h:556 [inline]
 kzalloc include/linux/slab.h:692 [inline]
 devlink_trap_register net/devlink/leftover.c:11831 [inline]
 devl_traps_register+0x431/0xaa0 net/devlink/leftover.c:11923
 nsim_dev_traps_init+0x279/0x4b0 drivers/net/netdevsim/dev.c:903
 nsim_dev_reload_create drivers/net/netdevsim/dev.c:1481 [inline]
 nsim_dev_reload_up+0x39b/0x8e0 drivers/net/netdevsim/dev.c:985
 devlink_reload+0x2a0/0x6a0 net/devlink/leftover.c:4499
 devlink_pernet_pre_exit+0x14e/0x2c0 net/devlink/leftover.c:12521
 ops_pre_exit_list net/core/net_namespace.c:162 [inline]
 cleanup_net+0x59c/0xb60 net/core/net_namespace.c:592

Memory state around the buggy address:
 ffff88807b91ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff88807b920000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88807b920080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                       ^
 ffff88807b920100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88807b920180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (29):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2024/06/15 02:11 linux-6.1.y ae9f2a70d69e f429ab00 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2024/06/15 02:10 linux-6.1.y ae9f2a70d69e f429ab00 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2024/06/09 21:35 linux-6.1.y 88690811da69 82c05ab8 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2024/06/06 03:36 linux-6.1.y 88690811da69 121701b6 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2024/06/05 23:04 linux-6.1.y 88690811da69 5aa1a7c9 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2024/06/05 23:03 linux-6.1.y 88690811da69 5aa1a7c9 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2024/06/05 22:15 linux-6.1.y 88690811da69 5aa1a7c9 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2024/05/24 10:20 linux-6.1.y 4078fa637fcd 8f98448e .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2024/05/24 10:17 linux-6.1.y 4078fa637fcd 8f98448e .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2024/05/21 18:41 linux-6.1.y 4078fa637fcd 4c0d3ee3 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2024/05/18 01:21 linux-6.1.y 4078fa637fcd c0f1611a .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2024/05/18 01:21 linux-6.1.y 4078fa637fcd c0f1611a .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2024/05/15 10:22 linux-6.1.y 909ba1f1b414 94b087b1 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2024/05/15 10:21 linux-6.1.y 909ba1f1b414 94b087b1 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2024/05/15 02:30 linux-6.1.y 909ba1f1b414 fdb4c10c .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2024/05/14 09:46 linux-6.1.y 909ba1f1b414 fdb4c10c .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2024/05/07 19:16 linux-6.1.y 909ba1f1b414 cb2dcc0e .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2024/05/03 14:15 linux-6.1.y 909ba1f1b414 dd26401e .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2024/03/29 11:28 linux-6.1.y e5cd595e23c1 c52bcb23 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2024/03/28 13:56 linux-6.1.y e5cd595e23c1 e91187ee .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2024/03/25 01:31 linux-6.1.y d7543167affd 0ea90952 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2024/03/17 10:18 linux-6.1.y d7543167affd d615901c .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2024/03/17 07:39 linux-6.1.y d7543167affd d615901c .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2024/03/08 17:57 linux-6.1.y 61adba85cc40 8e75c913 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2024/03/08 17:55 linux-6.1.y 61adba85cc40 8e75c913 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2024/02/22 17:51 linux-6.1.y 8b4118fabd6e 8d446f15 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2024/02/14 07:44 linux-6.1.y f1bb70486c9c d902085f .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2024/02/09 22:01 linux-6.1.y f1bb70486c9c 77b23aa1 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2024/03/30 04:34 linux-6.1.y e5cd595e23c1 6baf5069 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 KASAN: use-after-free Read in siw_query_port
* Struck through repros no longer work on HEAD.