syzbot

 sign-in | mailing list | source | docs
🐞 Open [1556]
Subsystems
🐞 Fixed [6198]
🐞 Invalid [15554]
Missing Backports [179]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
Total Repo Heatmap Subsystems Heatmap
💬 Send us feedback

KASAN: use-after-free Read in kernfs_active

Status: auto-obsoleted due to no activity on 2022/09/01 03:01
Subsystems: kernfs
[Documentation on labels]
Reported-by: syzbot+16225be44a52d3fedb86@syzkaller.appspotmail.com
First crash: 1051d, last: 1051d

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in kernfs_root fs/kernfs/kernfs-internal.h:50 [inline]
BUG: KASAN: use-after-free in kernfs_active+0x6e/0xea fs/kernfs/dir.c:28
Read of size 8 at addr ffffaf80227a00e8 by task kworker/u4:5/856

CPU: 0 PID: 856 Comm: kworker/u4:5 Not tainted 5.17.0-rc1-syzkaller-00002-g0966d385830d #0
Hardware name: riscv-virtio,qemu (DT)
Workqueue: netns cleanup_net
Call Trace:
[<ffffffff8000a228>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:113
[<ffffffff831668cc>] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:119
[<ffffffff831756ba>] __dump_stack lib/dump_stack.c:88 [inline]
[<ffffffff831756ba>] dump_stack_lvl+0xe4/0x150 lib/dump_stack.c:106
[<ffffffff8047479e>] print_address_description.constprop.0+0x2a/0x330 mm/kasan/report.c:255
[<ffffffff80474d4c>] __kasan_report mm/kasan/report.c:442 [inline]
[<ffffffff80474d4c>] kasan_report+0x184/0x1e0 mm/kasan/report.c:459
[<ffffffff80475b20>] check_region_inline mm/kasan/generic.c:183 [inline]
[<ffffffff80475b20>] __asan_load8+0x6e/0x96 mm/kasan/generic.c:256
[<ffffffff806676c6>] kernfs_root fs/kernfs/kernfs-internal.h:50 [inline]
[<ffffffff806676c6>] kernfs_active+0x6e/0xea fs/kernfs/dir.c:28
[<ffffffff80668c0e>] __kernfs_remove+0x1a8/0x804 fs/kernfs/dir.c:1345
[<ffffffff8066b1ee>] kernfs_remove+0x56/0x70 fs/kernfs/dir.c:1403
[<ffffffff80671b24>] sysfs_remove_group+0x80/0xee fs/sysfs/group.c:290
[<ffffffff80672c86>] sysfs_remove_groups fs/sysfs/group.c:312 [inline]
[<ffffffff80672c86>] sysfs_remove_groups+0x50/0x78 fs/sysfs/group.c:304
[<ffffffff813deb28>] device_remove_groups drivers/base/core.c:2478 [inline]
[<ffffffff813deb28>] device_remove_attrs+0xa0/0x10a drivers/base/core.c:2678
[<ffffffff813e183c>] device_del+0x328/0x730 drivers/base/core.c:3591
[<ffffffff827bda8e>] netdev_unregister_kobject+0x118/0x12c net/core/net-sysfs.c:1974
[<ffffffff8272cfe8>] unregister_netdevice_many+0xa2e/0xf50 net/core/dev.c:10442
[<ffffffff82c155da>] ip_tunnel_delete_nets+0x348/0x4e2 net/ipv4/ip_tunnel.c:1123
[<ffffffff82c4982a>] vti_exit_batch_net+0x2a/0x34 net/ipv4/ip_vti.c:515
[<ffffffff8270dc76>] ops_exit_list+0xcc/0xe8 net/core/net_namespace.c:173
[<ffffffff8270f544>] cleanup_net+0x430/0x732 net/core/net_namespace.c:597
[<ffffffff80093b44>] process_one_work+0x654/0xffe kernel/workqueue.c:2307
[<ffffffff8009484e>] worker_thread+0x360/0x8fa kernel/workqueue.c:2454
[<ffffffff800a7f58>] kthread+0x19e/0x1fa kernel/kthread.c:377
[<ffffffff80005724>] ret_from_exception+0x0/0x10

The buggy address belongs to the page:
page:ffffaf807affb500 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xa29a0
flags: 0xa000000000(section=20|node=0|zone=0)
raw: 000000a000000000 ffffaf807af8e428 ffffaf807aac8828 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
raw: 00000000000007ff
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 2, migratetype Unmovable, gfp_mask 0x400dc0(GFP_KERNEL_ACCOUNT|__GFP_ZERO), pid 2067, ts 1355774348100, free_ts 1355933418600
 __set_page_owner+0x48/0x136 mm/page_owner.c:183
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook+0xd0/0x10a mm/page_alloc.c:2427
 prep_new_page mm/page_alloc.c:2434 [inline]
 get_page_from_freelist+0x8da/0x12d8 mm/page_alloc.c:4165
 __alloc_pages+0x150/0x3b6 mm/page_alloc.c:5389
 __alloc_pages_node include/linux/gfp.h:572 [inline]
 alloc_pages_node include/linux/gfp.h:595 [inline]
 alloc_thread_stack_node kernel/fork.c:262 [inline]
 dup_task_struct kernel/fork.c:887 [inline]
 copy_process+0x482/0x3c34 kernel/fork.c:1998
 kernel_clone+0xee/0x920 kernel/fork.c:2555
 kernel_thread+0xf8/0x130 kernel/fork.c:2607
 call_usermodehelper_exec_work kernel/umh.c:174 [inline]
 call_usermodehelper_exec_work+0xc8/0x122 kernel/umh.c:160
 process_one_work+0x654/0xffe kernel/workqueue.c:2307
 worker_thread+0x360/0x8fa kernel/workqueue.c:2454
 kthread+0x19e/0x1fa kernel/kthread.c:377
 ret_from_exception+0x0/0x10
page last free stack trace:
 __reset_page_owner+0x4a/0xea mm/page_owner.c:142
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1352 [inline]
 free_pcp_prepare+0x29c/0x45e mm/page_alloc.c:1404
 free_unref_page_prepare mm/page_alloc.c:3325 [inline]
 free_unref_page+0x6a/0x31e mm/page_alloc.c:3404
 free_the_page mm/page_alloc.c:706 [inline]
 __free_pages+0xe2/0x112 mm/page_alloc.c:5474
 free_thread_stack kernel/fork.c:297 [inline]
 release_task_stack kernel/fork.c:434 [inline]
 put_task_stack+0x1d0/0x2b0 kernel/fork.c:445
 finish_task_switch.isra.0+0x3ce/0x420 kernel/sched/core.c:4898
 context_switch kernel/sched/core.c:4989 [inline]
 __schedule+0x58e/0x118e kernel/sched/core.c:6296
 preempt_schedule_common+0x4e/0xde kernel/sched/core.c:6462
 preempt_schedule+0x34/0x36 kernel/sched/core.c:6487
 __raw_spin_unlock include/linux/spinlock_api_smp.h:143 [inline]
 _raw_spin_unlock+0x60/0x6a kernel/locking/spinlock.c:186
 spin_unlock include/linux/spinlock.h:389 [inline]
 nsim_dev_trap_report drivers/net/netdevsim/dev.c:820 [inline]
 nsim_dev_trap_report_work+0x556/0x5e4 drivers/net/netdevsim/dev.c:843
 process_one_work+0x654/0xffe kernel/workqueue.c:2307
 worker_thread+0x360/0x8fa kernel/workqueue.c:2454
 kthread+0x19e/0x1fa kernel/kthread.c:377
 ret_from_exception+0x0/0x10

Memory state around the buggy address:
 ffffaf802279ff80: fc fc fc fc 00 00 00 00 00 00 00 00 fc fc fc fc
 ffffaf80227a0000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffffaf80227a0080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                                          ^
 ffffaf80227a0100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffffaf80227a0180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000140
Oops [#1]
Modules linked in:
CPU: 1 PID: 856 Comm: kworker/u4:5 Tainted: G    B             5.17.0-rc1-syzkaller-00002-g0966d385830d #0
Hardware name: riscv-virtio,qemu (DT)
Workqueue: netns cleanup_net
epc : __up_write kernel/locking/rwsem.c:1309 [inline]
epc : up_write+0x50/0x250 kernel/locking/rwsem.c:1567
 ra : __up_write kernel/locking/rwsem.c:1309 [inline]
 ra : up_write+0x50/0x250 kernel/locking/rwsem.c:1567
epc : ffffffff801085ec ra : ffffffff801085ec sp : ffffaf800e25f530
 gp : ffffffff85863ac0 tp : ffffaf800e49e100 t0 : ffffaf800e6ef640
 t1 : fffff5ef044f3fd0 t2 : 0000000000000001 s0 : ffffaf800e25f590
 s1 : 00000000000000d8 a0 : 0000000000000000 a1 : 0000000000000008
 a2 : 0000000000000000 a3 : ffffffff801085ec a4 : ffffffff85892ec8
 a5 : 0000000000000001 a6 : 0000000000f00000 a7 : ffffaf802279fe87
 s2 : 00000000000000e0 s3 : ffffffff85899680 s4 : 0000000000000140
 s5 : 0000000000000000 s6 : ffffaf800e25f5f0 s7 : ffffaf802279feb0
 s8 : ffffaf800d4d9f18 s9 : 00000000000000d8 s10: ffffaf800c396a24
 s11: ffffaf805a9f5c90 t3 : 0000000000000c89 t4 : fffff5ef044f3fd0
 t5 : fffff5ef044f3fd1 t6 : 0000000000000002
status: 0000000000000120 badaddr: 0000000000000140 cause: 000000000000000d
[<ffffffff80668dba>] kernfs_drain fs/kernfs/dir.c:467 [inline]
[<ffffffff80668dba>] __kernfs_remove+0x354/0x804 fs/kernfs/dir.c:1367
[<ffffffff8066b1ee>] kernfs_remove+0x56/0x70 fs/kernfs/dir.c:1403
[<ffffffff80671b24>] sysfs_remove_group+0x80/0xee fs/sysfs/group.c:290
[<ffffffff80672c86>] sysfs_remove_groups fs/sysfs/group.c:312 [inline]
[<ffffffff80672c86>] sysfs_remove_groups+0x50/0x78 fs/sysfs/group.c:304
[<ffffffff813deb28>] device_remove_groups drivers/base/core.c:2478 [inline]
[<ffffffff813deb28>] device_remove_attrs+0xa0/0x10a drivers/base/core.c:2678
[<ffffffff813e183c>] device_del+0x328/0x730 drivers/base/core.c:3591
[<ffffffff827bda8e>] netdev_unregister_kobject+0x118/0x12c net/core/net-sysfs.c:1974
[<ffffffff8272cfe8>] unregister_netdevice_many+0xa2e/0xf50 net/core/dev.c:10442
[<ffffffff82c155da>] ip_tunnel_delete_nets+0x348/0x4e2 net/ipv4/ip_tunnel.c:1123
[<ffffffff82c4982a>] vti_exit_batch_net+0x2a/0x34 net/ipv4/ip_vti.c:515
[<ffffffff8270dc76>] ops_exit_list+0xcc/0xe8 net/core/net_namespace.c:173
[<ffffffff8270f544>] cleanup_net+0x430/0x732 net/core/net_namespace.c:597
[<ffffffff80093b44>] process_one_work+0x654/0xffe kernel/workqueue.c:2307
[<ffffffff8009484e>] worker_thread+0x360/0x8fa kernel/workqueue.c:2454
[<ffffffff800a7f58>] kthread+0x19e/0x1fa kernel/kthread.c:377
[<ffffffff80005724>] ret_from_exception+0x0/0x10
---[ end trace 0000000000000000 ]---

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2022/06/03 03:00 git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes 0966d385830d 5783034f .config console log report info ci-qemu2-riscv64 KASAN: use-after-free Read in kernfs_active
* Struck through repros no longer work on HEAD.