syzbot


KASAN: use-after-free Write in kernfs_get

Status: auto-obsoleted due to no activity on 2024/01/21 14:31
Reported-by: syzbot+8b2f6d4c6725f90830ad@syzkaller.appspotmail.com
First crash: 307d, last: 220d
Similar bugs (4)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: use-after-free Read in kernfs_get kernfs 8 686d 808d 0/26 auto-obsoleted due to no activity on 2022/11/11 09:18
upstream KASAN: slab-use-after-free Read in kernfs_get kernfs 1 104d 104d 0/26 auto-obsoleted due to no activity on 2024/05/26 00:41
upstream KASAN: use-after-free Read in kernfs_get (2) kernfs 2 468d 555d 0/26 auto-obsoleted due to no activity on 2023/06/16 19:32
android-5-15 KASAN: use-after-free Read in kernfs_get 3 465d 589d 0/2 auto-obsoleted due to no activity on 2023/05/20 22:47

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
BUG: KASAN: use-after-free in atomic_inc include/linux/atomic/atomic-instrumented.h:181 [inline]
BUG: KASAN: use-after-free in kernfs_get+0x5c/0x90 fs/kernfs/dir.c:505
Write of size 4 at addr ffff88811d0c9708 by task kworker/1:1/31002

CPU: 1 PID: 31002 Comm: kworker/1:1 Tainted: G        W         5.15.132-syzkaller-01173-g754f8cc9b7de #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/06/2023
Workqueue: events flush_stashed_error_work
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x151/0x1b7 lib/dump_stack.c:106
 print_address_description+0x87/0x3b0 mm/kasan/report.c:248
 __kasan_report mm/kasan/report.c:427 [inline]
 kasan_report+0x179/0x1c0 mm/kasan/report.c:444
 kasan_check_range+0x293/0x2a0 mm/kasan/generic.c:189
 __kasan_check_write+0x14/0x20 mm/kasan/shadow.c:37
 instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
 atomic_inc include/linux/atomic/atomic-instrumented.h:181 [inline]
 kernfs_get+0x5c/0x90 fs/kernfs/dir.c:505
 sysfs_notify+0x9a/0xd0 fs/sysfs/file.c:190
 ext4_notify_error_sysfs+0x25/0x30 fs/ext4/sysfs.c:516
 flush_stashed_error_work+0x302/0x320
 process_one_work+0x6bb/0xc10 kernel/workqueue.c:2317
 worker_thread+0xad5/0x12a0 kernel/workqueue.c:2464
 kthread+0x421/0x510 kernel/kthread.c:319
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298
 </TASK>

Allocated by task 4135:
 kasan_save_stack mm/kasan/common.c:38 [inline]
 kasan_set_track mm/kasan/common.c:45 [inline]
 set_alloc_info mm/kasan/common.c:433 [inline]
 __kasan_slab_alloc+0xb1/0xe0 mm/kasan/common.c:466
 kasan_slab_alloc include/linux/kasan.h:217 [inline]
 slab_post_alloc_hook+0x53/0x2c0 mm/slab.h:550
 slab_alloc_node mm/slub.c:3240 [inline]
 slab_alloc mm/slub.c:3248 [inline]
 kmem_cache_alloc+0xf5/0x200 mm/slub.c:3253
 kmem_cache_zalloc include/linux/slab.h:723 [inline]
 __kernfs_new_node+0xdb/0x700 fs/kernfs/dir.c:593
 kernfs_new_node fs/kernfs/dir.c:657 [inline]
 kernfs_create_dir_ns+0x9b/0x230 fs/kernfs/dir.c:993
 sysfs_create_dir_ns+0x185/0x390 fs/sysfs/dir.c:59
 create_dir lib/kobject.c:89 [inline]
 kobject_add_internal+0x763/0xd90 lib/kobject.c:263
 kobject_add_varg lib/kobject.c:398 [inline]
 kobject_init_and_add+0x120/0x190 lib/kobject.c:481
 ext4_register_sysfs+0xbf/0x2c0 fs/ext4/sysfs.c:529
 ext4_fill_super+0x8a31/0x96e0 fs/ext4/super.c:4940
 mount_bdev+0x282/0x3b0 fs/super.c:1387
 ext4_mount+0x34/0x40 fs/ext4/super.c:6581
 legacy_get_tree+0xf1/0x190 fs/fs_context.c:611
 vfs_get_tree+0x88/0x290 fs/super.c:1517
 do_new_mount+0x28b/0xad0 fs/namespace.c:2994
 path_mount+0x671/0x1070 fs/namespace.c:3324
 do_mount fs/namespace.c:3337 [inline]
 __do_sys_mount fs/namespace.c:3545 [inline]
 __se_sys_mount+0x2c4/0x3b0 fs/namespace.c:3522
 __x64_sys_mount+0xbf/0xd0 fs/namespace.c:3522
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x61/0xcb

Freed by task 28887:
 kasan_save_stack mm/kasan/common.c:38 [inline]
 kasan_set_track+0x4b/0x70 mm/kasan/common.c:45
 kasan_set_free_info+0x23/0x40 mm/kasan/generic.c:370
 ____kasan_slab_free+0x126/0x160 mm/kasan/common.c:365
 __kasan_slab_free+0x11/0x20 mm/kasan/common.c:373
 kasan_slab_free include/linux/kasan.h:193 [inline]
 slab_free_hook mm/slub.c:1723 [inline]
 slab_free_freelist_hook+0xbd/0x190 mm/slub.c:1749
 slab_free mm/slub.c:3519 [inline]
 kmem_cache_free+0x116/0x2e0 mm/slub.c:3535
 kernfs_put+0x392/0x520 fs/kernfs/dir.c:547
 sysfs_put include/linux/sysfs.h:641 [inline]
 __kobject_del+0x10f/0x300 lib/kobject.c:629
 kobject_del+0x45/0x60 lib/kobject.c:651
 ext4_unregister_sysfs+0x91/0xa0 fs/ext4/sysfs.c:563
 ext4_put_super+0x80/0xd20 fs/ext4/super.c:1182
 generic_shutdown_super+0x157/0x2e0 fs/super.c:475
 kill_block_super+0x7e/0xe0 fs/super.c:1414
 deactivate_locked_super+0xad/0x110 fs/super.c:335
 deactivate_super+0xbe/0xf0 fs/super.c:366
 cleanup_mnt+0x45c/0x510 fs/namespace.c:1143
 __cleanup_mnt+0x19/0x20 fs/namespace.c:1150
 task_work_run+0x129/0x190 kernel/task_work.c:164
 tracehook_notify_resume include/linux/tracehook.h:189 [inline]
 exit_to_user_mode_loop+0xc4/0xe0 kernel/entry/common.c:175
 exit_to_user_mode_prepare+0x5a/0xa0 kernel/entry/common.c:208
 __syscall_exit_to_user_mode_work kernel/entry/common.c:290 [inline]
 syscall_exit_to_user_mode+0x26/0x160 kernel/entry/common.c:301
 do_syscall_64+0x49/0xb0 arch/x86/entry/common.c:86
 entry_SYSCALL_64_after_hwframe+0x61/0xcb

The buggy address belongs to the object at ffff88811d0c9708
 which belongs to the cache kernfs_node_cache of size 136
The buggy address is located 0 bytes inside of
 136-byte region [ffff88811d0c9708, ffff88811d0c9790)
The buggy address belongs to the page:
page:ffffea0004743240 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11d0c9
flags: 0x4000000000000200(slab|zone=1)
raw: 4000000000000200 0000000000000000 dead000000000122 ffff8881001bf380
raw: 0000000000000000 0000000000140014 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x112cc0(GFP_USER|__GFP_NOWARN|__GFP_NORETRY), pid 3866, ts 2604212732552, free_ts 2603794623467
 set_page_owner include/linux/page_owner.h:33 [inline]
 post_alloc_hook+0x1a3/0x1b0 mm/page_alloc.c:2602
 prep_new_page+0x1b/0x110 mm/page_alloc.c:2608
 get_page_from_freelist+0x3550/0x35d0 mm/page_alloc.c:4482
 __alloc_pages+0x206/0x5e0 mm/page_alloc.c:5773
 allocate_slab mm/slub.c:1932 [inline]
 new_slab+0x9a/0x4e0 mm/slub.c:1995
 ___slab_alloc+0x39e/0x830 mm/slub.c:3028
 __slab_alloc+0x4a/0x90 mm/slub.c:3115
 slab_alloc_node mm/slub.c:3206 [inline]
 slab_alloc mm/slub.c:3248 [inline]
 kmem_cache_alloc+0x134/0x200 mm/slub.c:3253
 kmem_cache_zalloc include/linux/slab.h:723 [inline]
 __kernfs_new_node+0xdb/0x700 fs/kernfs/dir.c:593
 kernfs_new_node+0x97/0x170 fs/kernfs/dir.c:657
 __kernfs_create_file+0x4a/0x270 fs/kernfs/file.c:985
 sysfs_add_file_mode_ns+0x273/0x320 fs/sysfs/file.c:317
 create_files fs/sysfs/group.c:64 [inline]
 internal_create_group+0x573/0xf00 fs/sysfs/group.c:149
 sysfs_create_group+0x1f/0x30 fs/sysfs/group.c:175
 netdev_queue_add_kobject net/core/net-sysfs.c:1672 [inline]
 netdev_queue_update_kobjects+0x1a7/0x400 net/core/net-sysfs.c:1711
 register_queue_kobjects net/core/net-sysfs.c:1772 [inline]
 netdev_register_kobject+0x270/0x320 net/core/net-sysfs.c:2018
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:26 [inline]
 free_pages_prepare mm/page_alloc.c:1469 [inline]
 free_pcp_prepare mm/page_alloc.c:1541 [inline]
 free_unref_page_prepare+0x7c8/0x7d0 mm/page_alloc.c:3531
 free_unref_page_list+0x14b/0xa60 mm/page_alloc.c:3668
 release_pages+0x1310/0x1370 mm/swap.c:1009
 free_pages_and_swap_cache+0x8a/0xa0 mm/swap_state.c:320
 tlb_batch_pages_flush mm/mmu_gather.c:49 [inline]
 tlb_flush_mmu_free mm/mmu_gather.c:240 [inline]
 tlb_flush_mmu mm/mmu_gather.c:247 [inline]
 tlb_finish_mmu+0x177/0x320 mm/mmu_gather.c:338
 exit_mmap+0x3ef/0x6f0 mm/mmap.c:3211
 __mmput+0x95/0x310 kernel/fork.c:1171
 mmput+0x5b/0x170 kernel/fork.c:1194
 exit_mm kernel/exit.c:551 [inline]
 do_exit+0xbb4/0x2b60 kernel/exit.c:862
 do_group_exit+0x141/0x310 kernel/exit.c:997
 get_signal+0x7a3/0x1630 kernel/signal.c:2891
 arch_do_signal_or_restart+0xbd/0x1680 arch/x86/kernel/signal.c:867
 handle_signal_work kernel/entry/common.c:148 [inline]
 exit_to_user_mode_loop+0xa0/0xe0 kernel/entry/common.c:172
 exit_to_user_mode_prepare+0x5a/0xa0 kernel/entry/common.c:208
 __syscall_exit_to_user_mode_work kernel/entry/common.c:290 [inline]
 syscall_exit_to_user_mode+0x26/0x160 kernel/entry/common.c:301
 do_syscall_64+0x49/0xb0 arch/x86/entry/common.c:86

Memory state around the buggy address:
 ffff88811d0c9600: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
 ffff88811d0c9680: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc
>ffff88811d0c9700: fc fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                      ^
 ffff88811d0c9780: fb fb fc fc fc fc fc fc fc fc fa fb fb fb fb fb
 ffff88811d0c9800: fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc
==================================================================

Crashes (3):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2023/10/23 14:24 android13-5.15-lts 754f8cc9b7de 989a3687 .config console log report info ci2-android-5-15 KASAN: use-after-free Write in kernfs_get
2023/10/14 02:31 android13-5.15-lts 754f8cc9b7de f757a323 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-15 KASAN: use-after-free Write in kernfs_get
2023/07/28 06:44 android13-5.15-lts 748fd0d9ca0f 92476829 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-15 KASAN: use-after-free Write in kernfs_get
* Struck through repros no longer work on HEAD.