syzbot |
sign-in | mailing list | source | docs |
| 🐞 Open [569] 🐞 Fixed [66] 🐞 Invalid [207] ⬇ Missing Backports [40] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes | 💬 Send us feedback |
erspan0 speed is unknown, defaulting to 1000 ================================================================== BUG: KASAN: use-after-free in siw_query_port+0x342/0x430 drivers/infiniband/sw/siw/siw_verbs.c:177 Read of size 4 at addr ffff8880197220e0 by task kworker/0:18/14655 CPU: 0 PID: 14655 Comm: kworker/0:18 Not tainted 6.1.90-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 Workqueue: infiniband ib_cache_event_task Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106 print_address_description mm/kasan/report.c:284 [inline] print_report+0x15f/0x4f0 mm/kasan/report.c:395 kasan_report+0x136/0x160 mm/kasan/report.c:495 siw_query_port+0x342/0x430 drivers/infiniband/sw/siw/siw_verbs.c:177 ib_cache_update+0x1a8/0xaf0 drivers/infiniband/core/cache.c:1487 ib_cache_event_task+0xef/0x1e0 drivers/infiniband/core/cache.c:1561 process_one_work+0x8a9/0x11d0 kernel/workqueue.c:2292 worker_thread+0xa47/0x1200 kernel/workqueue.c:2439 kthread+0x28d/0x320 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308 </TASK> Allocated by task 5992: kasan_save_stack mm/kasan/common.c:45 [inline] kasan_set_track+0x4b/0x70 mm/kasan/common.c:52 ____kasan_kmalloc mm/kasan/common.c:374 [inline] __kasan_kmalloc+0x97/0xb0 mm/kasan/common.c:383 kasan_kmalloc include/linux/kasan.h:211 [inline] __do_kmalloc_node mm/slab_common.c:955 [inline] __kmalloc_node+0xb3/0x230 mm/slab_common.c:962 kmalloc_node include/linux/slab.h:582 [inline] kvmalloc_node+0x6e/0x180 mm/util.c:581 kvmalloc include/linux/slab.h:709 [inline] kvzalloc include/linux/slab.h:717 [inline] alloc_netdev_mqs+0x85/0xeb0 net/core/dev.c:10622 __ip_tunnel_create+0x205/0x370 net/ipv4/ip_tunnel.c:254 ip_tunnel_init_net+0x21f/0x700 net/ipv4/ip_tunnel.c:1100 ops_init+0x356/0x600 net/core/net_namespace.c:135 setup_net+0x4b5/0xb90 net/core/net_namespace.c:332 copy_net_ns+0x395/0x5d0 net/core/net_namespace.c:478 create_new_namespaces+0x425/0x7a0 kernel/nsproxy.c:110 unshare_nsproxy_namespaces+0x11e/0x170 kernel/nsproxy.c:226 ksys_unshare+0x580/0xb20 kernel/fork.c:3203 __do_sys_unshare kernel/fork.c:3274 [inline] __se_sys_unshare kernel/fork.c:3272 [inline] __x64_sys_unshare+0x34/0x40 kernel/fork.c:3272 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x68/0xd2 Freed by task 5616: kasan_save_stack mm/kasan/common.c:45 [inline] kasan_set_track+0x4b/0x70 mm/kasan/common.c:52 kasan_save_free_info+0x27/0x40 mm/kasan/generic.c:516 ____kasan_slab_free+0xd6/0x120 mm/kasan/common.c:236 kasan_slab_free include/linux/kasan.h:177 [inline] slab_free_hook mm/slub.c:1724 [inline] slab_free_freelist_hook mm/slub.c:1750 [inline] slab_free mm/slub.c:3661 [inline] __kmem_cache_free+0x25c/0x3c0 mm/slub.c:3674 device_release+0x91/0x1c0 kobject_cleanup lib/kobject.c:681 [inline] kobject_release lib/kobject.c:712 [inline] kref_put include/linux/kref.h:65 [inline] kobject_put+0x224/0x460 lib/kobject.c:729 netdev_run_todo+0xe56/0xf40 net/core/dev.c:10412 ip_tunnel_delete_nets+0x2f2/0x330 net/ipv4/ip_tunnel.c:1154 ops_exit_list net/core/net_namespace.c:174 [inline] cleanup_net+0x763/0xb60 net/core/net_namespace.c:601 process_one_work+0x8a9/0x11d0 kernel/workqueue.c:2292 worker_thread+0xa47/0x1200 kernel/workqueue.c:2439 kthread+0x28d/0x320 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308 The buggy address belongs to the object at ffff888019722000 which belongs to the cache kmalloc-cg-4k of size 4096 The buggy address is located 224 bytes inside of 4096-byte region [ffff888019722000, ffff888019723000) The buggy address belongs to the physical page: page:ffffea000065c800 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x19720 head:ffffea000065c800 order:3 compound_mapcount:0 compound_pincount:0 memcg:ffff88807f8fb041 flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000010200 0000000000000000 dead000000000001 ffff88801244c280 raw: 0000000000000000 0000000000040004 00000001ffffffff ffff88807f8fb041 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 3564, tgid 3564 (syz-executor.1), ts 57825172844, free_ts 57794641888 set_page_owner include/linux/page_owner.h:31 [inline] post_alloc_hook+0x18d/0x1b0 mm/page_alloc.c:2513 prep_new_page mm/page_alloc.c:2520 [inline] get_page_from_freelist+0x31a1/0x3320 mm/page_alloc.c:4279 __alloc_pages+0x28d/0x770 mm/page_alloc.c:5547 alloc_slab_page+0x6a/0x150 mm/slub.c:1794 allocate_slab mm/slub.c:1939 [inline] new_slab+0x84/0x2d0 mm/slub.c:1992 ___slab_alloc+0xc20/0x1270 mm/slub.c:3180 __slab_alloc mm/slub.c:3279 [inline] slab_alloc_node mm/slub.c:3364 [inline] __kmem_cache_alloc_node+0x19f/0x260 mm/slub.c:3437 __do_kmalloc_node mm/slab_common.c:954 [inline] __kmalloc_node_track_caller+0xa0/0x220 mm/slab_common.c:975 kmemdup+0x26/0x60 mm/util.c:129 __devinet_sysctl_register+0xac/0x2a0 net/ipv4/devinet.c:2587 devinet_sysctl_register+0x13a/0x1a0 net/ipv4/devinet.c:2639 inetdev_init+0x291/0x4c0 net/ipv4/devinet.c:279 inetdev_event+0x29b/0x1490 net/ipv4/devinet.c:1534 notifier_call_chain kernel/notifier.c:87 [inline] raw_notifier_call_chain+0xd0/0x170 kernel/notifier.c:455 call_netdevice_notifiers_info net/core/dev.c:1970 [inline] call_netdevice_notifiers_extack net/core/dev.c:2008 [inline] call_netdevice_notifiers+0x145/0x1b0 net/core/dev.c:2022 register_netdevice+0x12f2/0x1720 net/core/dev.c:10132 page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1440 [inline] free_pcp_prepare mm/page_alloc.c:1490 [inline] free_unref_page_prepare+0xf63/0x1120 mm/page_alloc.c:3358 free_unref_page+0x33/0x3e0 mm/page_alloc.c:3453 qlink_free mm/kasan/quarantine.c:168 [inline] qlist_free_all+0x76/0xe0 mm/kasan/quarantine.c:187 kasan_quarantine_reduce+0x156/0x170 mm/kasan/quarantine.c:294 __kasan_slab_alloc+0x1f/0x70 mm/kasan/common.c:305 kasan_slab_alloc include/linux/kasan.h:201 [inline] slab_post_alloc_hook+0x52/0x3a0 mm/slab.h:737 slab_alloc_node mm/slub.c:3398 [inline] __kmem_cache_alloc_node+0x137/0x260 mm/slub.c:3437 __do_kmalloc_node mm/slab_common.c:954 [inline] __kmalloc+0xa1/0x230 mm/slab_common.c:968 kmalloc include/linux/slab.h:561 [inline] kzalloc include/linux/slab.h:692 [inline] fib6_info_alloc+0x2c/0xd0 net/ipv6/ip6_fib.c:156 ip6_route_info_create+0x446/0x12c0 net/ipv6/route.c:3750 ip6_route_add+0x22/0x120 net/ipv6/route.c:3844 addrconf_prefix_route net/ipv6/addrconf.c:2442 [inline] add_v4_addrs+0xb51/0x1180 net/ipv6/addrconf.c:3195 addrconf_gre_config net/ipv6/addrconf.c:3469 [inline] addrconf_init_auto_addrs+0x1ff/0xe60 net/ipv6/addrconf.c:3487 addrconf_notify+0xade/0xf60 net/ipv6/addrconf.c:3668 notifier_call_chain kernel/notifier.c:87 [inline] raw_notifier_call_chain+0xd0/0x170 kernel/notifier.c:455 __dev_notify_flags+0x304/0x610 Memory state around the buggy address: ffff888019721f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888019722000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff888019722080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888019722100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888019722180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================
| Time | Kernel | Commit | Syzkaller | Config | Log | Report | Syz repro | C repro | VM info | Assets (help?) | Manager | Title |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2024/05/03 14:15 | linux-6.1.y | 909ba1f1b414 | dd26401e | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-6-1-kasan | KASAN: use-after-free Read in siw_query_port | ||
| 2024/03/29 11:28 | linux-6.1.y | e5cd595e23c1 | c52bcb23 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-6-1-kasan | KASAN: use-after-free Read in siw_query_port | ||
| 2024/03/28 13:56 | linux-6.1.y | e5cd595e23c1 | e91187ee | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-6-1-kasan | KASAN: use-after-free Read in siw_query_port | ||
| 2024/03/25 01:31 | linux-6.1.y | d7543167affd | 0ea90952 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-6-1-kasan | KASAN: use-after-free Read in siw_query_port | ||
| 2024/03/17 10:18 | linux-6.1.y | d7543167affd | d615901c | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-6-1-kasan | KASAN: use-after-free Read in siw_query_port | ||
| 2024/03/17 07:39 | linux-6.1.y | d7543167affd | d615901c | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-6-1-kasan | KASAN: use-after-free Read in siw_query_port | ||
| 2024/03/08 17:57 | linux-6.1.y | 61adba85cc40 | 8e75c913 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-6-1-kasan | KASAN: use-after-free Read in siw_query_port | ||
| 2024/03/08 17:55 | linux-6.1.y | 61adba85cc40 | 8e75c913 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-6-1-kasan | KASAN: use-after-free Read in siw_query_port | ||
| 2024/02/22 17:51 | linux-6.1.y | 8b4118fabd6e | 8d446f15 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-6-1-kasan | KASAN: use-after-free Read in siw_query_port | ||
| 2024/02/14 07:44 | linux-6.1.y | f1bb70486c9c | d902085f | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-6-1-kasan | KASAN: use-after-free Read in siw_query_port | ||
| 2024/02/09 22:01 | linux-6.1.y | f1bb70486c9c | 77b23aa1 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-6-1-kasan | KASAN: use-after-free Read in siw_query_port | ||
| 2024/03/30 04:34 | linux-6.1.y | e5cd595e23c1 | 6baf5069 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-6-1-kasan-arm64 | KASAN: use-after-free Read in siw_query_port |