syzbot |
sign-in | mailing list | source | docs |
| 🐞 Open [198] 🐞 Fixed [22] 🐞 Invalid [60] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes | 💬 Send us feedback |
================================================================== BUG: KASAN: use-after-free in instrument_atomic_read_write include/linux/instrumented.h:101 [inline] BUG: KASAN: use-after-free in atomic_inc include/linux/atomic/atomic-instrumented.h:181 [inline] BUG: KASAN: use-after-free in kernfs_get+0x5c/0x90 fs/kernfs/dir.c:505 Write of size 4 at addr ffff88811d0c9708 by task kworker/1:1/31002 CPU: 1 PID: 31002 Comm: kworker/1:1 Tainted: G W 5.15.132-syzkaller-01173-g754f8cc9b7de #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/06/2023 Workqueue: events flush_stashed_error_work Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x151/0x1b7 lib/dump_stack.c:106 print_address_description+0x87/0x3b0 mm/kasan/report.c:248 __kasan_report mm/kasan/report.c:427 [inline] kasan_report+0x179/0x1c0 mm/kasan/report.c:444 kasan_check_range+0x293/0x2a0 mm/kasan/generic.c:189 __kasan_check_write+0x14/0x20 mm/kasan/shadow.c:37 instrument_atomic_read_write include/linux/instrumented.h:101 [inline] atomic_inc include/linux/atomic/atomic-instrumented.h:181 [inline] kernfs_get+0x5c/0x90 fs/kernfs/dir.c:505 sysfs_notify+0x9a/0xd0 fs/sysfs/file.c:190 ext4_notify_error_sysfs+0x25/0x30 fs/ext4/sysfs.c:516 flush_stashed_error_work+0x302/0x320 process_one_work+0x6bb/0xc10 kernel/workqueue.c:2317 worker_thread+0xad5/0x12a0 kernel/workqueue.c:2464 kthread+0x421/0x510 kernel/kthread.c:319 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298 </TASK> Allocated by task 4135: kasan_save_stack mm/kasan/common.c:38 [inline] kasan_set_track mm/kasan/common.c:45 [inline] set_alloc_info mm/kasan/common.c:433 [inline] __kasan_slab_alloc+0xb1/0xe0 mm/kasan/common.c:466 kasan_slab_alloc include/linux/kasan.h:217 [inline] slab_post_alloc_hook+0x53/0x2c0 mm/slab.h:550 slab_alloc_node mm/slub.c:3240 [inline] slab_alloc mm/slub.c:3248 [inline] kmem_cache_alloc+0xf5/0x200 mm/slub.c:3253 kmem_cache_zalloc include/linux/slab.h:723 [inline] __kernfs_new_node+0xdb/0x700 fs/kernfs/dir.c:593 kernfs_new_node fs/kernfs/dir.c:657 [inline] kernfs_create_dir_ns+0x9b/0x230 fs/kernfs/dir.c:993 sysfs_create_dir_ns+0x185/0x390 fs/sysfs/dir.c:59 create_dir lib/kobject.c:89 [inline] kobject_add_internal+0x763/0xd90 lib/kobject.c:263 kobject_add_varg lib/kobject.c:398 [inline] kobject_init_and_add+0x120/0x190 lib/kobject.c:481 ext4_register_sysfs+0xbf/0x2c0 fs/ext4/sysfs.c:529 ext4_fill_super+0x8a31/0x96e0 fs/ext4/super.c:4940 mount_bdev+0x282/0x3b0 fs/super.c:1387 ext4_mount+0x34/0x40 fs/ext4/super.c:6581 legacy_get_tree+0xf1/0x190 fs/fs_context.c:611 vfs_get_tree+0x88/0x290 fs/super.c:1517 do_new_mount+0x28b/0xad0 fs/namespace.c:2994 path_mount+0x671/0x1070 fs/namespace.c:3324 do_mount fs/namespace.c:3337 [inline] __do_sys_mount fs/namespace.c:3545 [inline] __se_sys_mount+0x2c4/0x3b0 fs/namespace.c:3522 __x64_sys_mount+0xbf/0xd0 fs/namespace.c:3522 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x61/0xcb Freed by task 28887: kasan_save_stack mm/kasan/common.c:38 [inline] kasan_set_track+0x4b/0x70 mm/kasan/common.c:45 kasan_set_free_info+0x23/0x40 mm/kasan/generic.c:370 ____kasan_slab_free+0x126/0x160 mm/kasan/common.c:365 __kasan_slab_free+0x11/0x20 mm/kasan/common.c:373 kasan_slab_free include/linux/kasan.h:193 [inline] slab_free_hook mm/slub.c:1723 [inline] slab_free_freelist_hook+0xbd/0x190 mm/slub.c:1749 slab_free mm/slub.c:3519 [inline] kmem_cache_free+0x116/0x2e0 mm/slub.c:3535 kernfs_put+0x392/0x520 fs/kernfs/dir.c:547 sysfs_put include/linux/sysfs.h:641 [inline] __kobject_del+0x10f/0x300 lib/kobject.c:629 kobject_del+0x45/0x60 lib/kobject.c:651 ext4_unregister_sysfs+0x91/0xa0 fs/ext4/sysfs.c:563 ext4_put_super+0x80/0xd20 fs/ext4/super.c:1182 generic_shutdown_super+0x157/0x2e0 fs/super.c:475 kill_block_super+0x7e/0xe0 fs/super.c:1414 deactivate_locked_super+0xad/0x110 fs/super.c:335 deactivate_super+0xbe/0xf0 fs/super.c:366 cleanup_mnt+0x45c/0x510 fs/namespace.c:1143 __cleanup_mnt+0x19/0x20 fs/namespace.c:1150 task_work_run+0x129/0x190 kernel/task_work.c:164 tracehook_notify_resume include/linux/tracehook.h:189 [inline] exit_to_user_mode_loop+0xc4/0xe0 kernel/entry/common.c:175 exit_to_user_mode_prepare+0x5a/0xa0 kernel/entry/common.c:208 __syscall_exit_to_user_mode_work kernel/entry/common.c:290 [inline] syscall_exit_to_user_mode+0x26/0x160 kernel/entry/common.c:301 do_syscall_64+0x49/0xb0 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x61/0xcb The buggy address belongs to the object at ffff88811d0c9708 which belongs to the cache kernfs_node_cache of size 136 The buggy address is located 0 bytes inside of 136-byte region [ffff88811d0c9708, ffff88811d0c9790) The buggy address belongs to the page: page:ffffea0004743240 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11d0c9 flags: 0x4000000000000200(slab|zone=1) raw: 4000000000000200 0000000000000000 dead000000000122 ffff8881001bf380 raw: 0000000000000000 0000000000140014 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x112cc0(GFP_USER|__GFP_NOWARN|__GFP_NORETRY), pid 3866, ts 2604212732552, free_ts 2603794623467 set_page_owner include/linux/page_owner.h:33 [inline] post_alloc_hook+0x1a3/0x1b0 mm/page_alloc.c:2602 prep_new_page+0x1b/0x110 mm/page_alloc.c:2608 get_page_from_freelist+0x3550/0x35d0 mm/page_alloc.c:4482 __alloc_pages+0x206/0x5e0 mm/page_alloc.c:5773 allocate_slab mm/slub.c:1932 [inline] new_slab+0x9a/0x4e0 mm/slub.c:1995 ___slab_alloc+0x39e/0x830 mm/slub.c:3028 __slab_alloc+0x4a/0x90 mm/slub.c:3115 slab_alloc_node mm/slub.c:3206 [inline] slab_alloc mm/slub.c:3248 [inline] kmem_cache_alloc+0x134/0x200 mm/slub.c:3253 kmem_cache_zalloc include/linux/slab.h:723 [inline] __kernfs_new_node+0xdb/0x700 fs/kernfs/dir.c:593 kernfs_new_node+0x97/0x170 fs/kernfs/dir.c:657 __kernfs_create_file+0x4a/0x270 fs/kernfs/file.c:985 sysfs_add_file_mode_ns+0x273/0x320 fs/sysfs/file.c:317 create_files fs/sysfs/group.c:64 [inline] internal_create_group+0x573/0xf00 fs/sysfs/group.c:149 sysfs_create_group+0x1f/0x30 fs/sysfs/group.c:175 netdev_queue_add_kobject net/core/net-sysfs.c:1672 [inline] netdev_queue_update_kobjects+0x1a7/0x400 net/core/net-sysfs.c:1711 register_queue_kobjects net/core/net-sysfs.c:1772 [inline] netdev_register_kobject+0x270/0x320 net/core/net-sysfs.c:2018 page last free stack trace: reset_page_owner include/linux/page_owner.h:26 [inline] free_pages_prepare mm/page_alloc.c:1469 [inline] free_pcp_prepare mm/page_alloc.c:1541 [inline] free_unref_page_prepare+0x7c8/0x7d0 mm/page_alloc.c:3531 free_unref_page_list+0x14b/0xa60 mm/page_alloc.c:3668 release_pages+0x1310/0x1370 mm/swap.c:1009 free_pages_and_swap_cache+0x8a/0xa0 mm/swap_state.c:320 tlb_batch_pages_flush mm/mmu_gather.c:49 [inline] tlb_flush_mmu_free mm/mmu_gather.c:240 [inline] tlb_flush_mmu mm/mmu_gather.c:247 [inline] tlb_finish_mmu+0x177/0x320 mm/mmu_gather.c:338 exit_mmap+0x3ef/0x6f0 mm/mmap.c:3211 __mmput+0x95/0x310 kernel/fork.c:1171 mmput+0x5b/0x170 kernel/fork.c:1194 exit_mm kernel/exit.c:551 [inline] do_exit+0xbb4/0x2b60 kernel/exit.c:862 do_group_exit+0x141/0x310 kernel/exit.c:997 get_signal+0x7a3/0x1630 kernel/signal.c:2891 arch_do_signal_or_restart+0xbd/0x1680 arch/x86/kernel/signal.c:867 handle_signal_work kernel/entry/common.c:148 [inline] exit_to_user_mode_loop+0xa0/0xe0 kernel/entry/common.c:172 exit_to_user_mode_prepare+0x5a/0xa0 kernel/entry/common.c:208 __syscall_exit_to_user_mode_work kernel/entry/common.c:290 [inline] syscall_exit_to_user_mode+0x26/0x160 kernel/entry/common.c:301 do_syscall_64+0x49/0xb0 arch/x86/entry/common.c:86 Memory state around the buggy address: ffff88811d0c9600: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb ffff88811d0c9680: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc >ffff88811d0c9700: fc fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88811d0c9780: fb fb fc fc fc fc fc fc fc fc fa fb fb fb fb fb ffff88811d0c9800: fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc ==================================================================
| Time | Kernel | Commit | Syzkaller | Config | Log | Report | Syz repro | C repro | VM info | Assets (help?) | Manager | Title |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2023/10/23 14:24 | android13-5.15-lts | 754f8cc9b7de | 989a3687 | .config | console log | report | info | ci2-android-5-15 | KASAN: use-after-free Write in kernfs_get | |||
| 2023/10/14 02:31 | android13-5.15-lts | 754f8cc9b7de | f757a323 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-android-5-15 | KASAN: use-after-free Write in kernfs_get | ||
| 2023/07/28 06:44 | android13-5.15-lts | 748fd0d9ca0f | 92476829 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-android-5-15 | KASAN: use-after-free Write in kernfs_get |