syzbot

 sign-in | mailing list | source | docs
🐞 Open [1252]
Subsystems
🐞 Fixed [5698]
🐞 Invalid [13880]
Missing Backports [97]
Kernel Health Bugs/Month Bug Lifetimes Fuzzing Crashes
Total Repo Heatmap Subsystems Heatmap
💬 Send us feedback

KASAN: use-after-free Read in shutdown_one_device_async

Status: moderation: reported on 2024/09/29 12:27
Subsystems: kernel
[Documentation on labels]
Reported-by: syzbot+c87d93d80e2c90ef6959@syzkaller.appspotmail.com
First crash: 10d, last: 10d

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in shutdown_one_device drivers/base/core.c:4817 [inline]
BUG: KASAN: use-after-free in shutdown_one_device_async+0x4ac/0x5f0 drivers/base/core.c:4837
Read of size 8 at addr ffff88806d6e0738 by task kworker/u8:17/15032

CPU: 1 UID: 0 PID: 15032 Comm: kworker/u8:17 Not tainted 6.11.0-next-20240925-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
Workqueue: async async_run_entry_fn
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:377 [inline]
 print_report+0x169/0x550 mm/kasan/report.c:488
 kasan_report+0x143/0x180 mm/kasan/report.c:601
 shutdown_one_device drivers/base/core.c:4817 [inline]
 shutdown_one_device_async+0x4ac/0x5f0 drivers/base/core.c:4837
 async_run_entry_fn+0xa8/0x420 kernel/async.c:129
 process_one_work kernel/workqueue.c:3229 [inline]
 process_scheduled_works+0xa63/0x1850 kernel/workqueue.c:3310
 worker_thread+0x870/0xd30 kernel/workqueue.c:3391
 kthread+0x2f0/0x390 kernel/kthread.c:389
 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x7f7228b8b pfn:0x6d6e0
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 ffffea0001e54f08 ffff8880b8744b80 0000000000000000
raw: 00000007f7228b8b 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 2, migratetype Unmovable, gfp_mask 0x446dc0(GFP_KERNEL_ACCOUNT|__GFP_NOWARN|__GFP_RETRY_MAYFAIL|__GFP_COMP|__GFP_ZERO), pid 14611, tgid 14611 (syz-executor), ts 776495307320, free_ts 814610926588
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1537
 prep_new_page mm/page_alloc.c:1545 [inline]
 get_page_from_freelist+0x3045/0x3190 mm/page_alloc.c:3457
 __alloc_pages_noprof+0x256/0x6c0 mm/page_alloc.c:4733
 __alloc_pages_node_noprof include/linux/gfp.h:269 [inline]
 alloc_pages_node_noprof include/linux/gfp.h:296 [inline]
 ___kmalloc_large_node+0x8b/0x1d0 mm/slub.c:4210
 __kmalloc_large_node_noprof+0x1a/0x80 mm/slub.c:4237
 __do_kmalloc_node mm/slub.c:4253 [inline]
 __kmalloc_node_noprof+0x2d2/0x440 mm/slub.c:4271
 __kvmalloc_node_noprof+0x72/0x190 mm/util.c:658
 alloc_netdev_mqs+0x9b/0x1000 net/core/dev.c:11093
 tun_set_iff+0x542/0xe80 drivers/net/tun.c:2833
 __tun_chr_ioctl+0x863/0x2400 drivers/net/tun.c:3131
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:907 [inline]
 __se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 15032 tgid 15032 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1108 [inline]
 free_unref_page+0xcfb/0xf20 mm/page_alloc.c:2638
 __folio_put+0x2c7/0x440 mm/swap.c:126
 folio_put include/linux/mm.h:1478 [inline]
 free_large_kmalloc+0x105/0x1c0 mm/slub.c:4699
 kfree+0x21c/0x440 mm/slub.c:4722
 device_release+0x99/0x1c0
 kobject_cleanup lib/kobject.c:689 [inline]
 kobject_release lib/kobject.c:720 [inline]
 kref_put include/linux/kref.h:65 [inline]
 kobject_put+0x22f/0x480 lib/kobject.c:737
 put_device drivers/base/core.c:3785 [inline]
 shutdown_one_device drivers/base/core.c:4816 [inline]
 shutdown_one_device_async+0x492/0x5f0 drivers/base/core.c:4837
 async_run_entry_fn+0xa8/0x420 kernel/async.c:129
 process_one_work kernel/workqueue.c:3229 [inline]
 process_scheduled_works+0xa63/0x1850 kernel/workqueue.c:3310
 worker_thread+0x870/0xd30 kernel/workqueue.c:3391
 kthread+0x2f0/0x390 kernel/kthread.c:389
 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

Memory state around the buggy address:
 ffff88806d6e0600: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff88806d6e0680: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff88806d6e0700: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                        ^
 ffff88806d6e0780: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff88806d6e0800: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2024/09/25 12:25 linux-next 2b7275670032 349a68c4 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: use-after-free Read in shutdown_one_device_async
* Struck through repros no longer work on HEAD.