KASAN: use-after-free Read in remove_wait

Title	Replies (including bot)	Last reply
[PATCH 5.16 000/200] 5.16.5-rc1 review	218 (218)	2022/02/14 15:34
[PATCH 5.10 00/25] 5.10.97-rc1 review	41 (41)	2022/02/05 14:30
[PATCH 5.4 00/10] 5.4.177-rc1 review	17 (17)	2022/02/05 14:28
[PATCH 5.15 000/171] 5.15.19-rc1 review	181 (181)	2022/02/02 00:26
[PATCH v3 1/1] psi: Fix uaf issue when psi trigger is destroyed while being polled	15 (15)	2022/01/18 11:18
[PATCH v2 1/1] psi: Fix uaf issue when psi trigger is destroyed while being polled	12 (12)	2022/01/18 06:58
[PATCH 1/1] psi: Fix uaf issue when psi trigger is destroyed while being polled	5 (5)	2022/01/11 07:16
Re: [syzbot] KASAN: use-after-free Read in remove_wait_queue (3)	14 (14)	2022/01/11 03:02
[syzbot] KASAN: use-after-free Read in remove_wait_queue (3)	0 (2)	2021/12/10 22:42

Title

Replies (including bot)

Last reply

[PATCH 5.16 000/200] 5.16.5-rc1 review

218 (218)

2022/02/14 15:34

[PATCH 5.10 00/25] 5.10.97-rc1 review

41 (41)

2022/02/05 14:30

[PATCH 5.4 00/10] 5.4.177-rc1 review

17 (17)

2022/02/05 14:28

[PATCH 5.15 000/171] 5.15.19-rc1 review

181 (181)

2022/02/02 00:26

[PATCH v3 1/1] psi: Fix uaf issue when psi trigger is destroyed while being polled

15 (15)

2022/01/18 11:18

[PATCH v2 1/1] psi: Fix uaf issue when psi trigger is destroyed while being polled

12 (12)

2022/01/18 06:58

[PATCH 1/1] psi: Fix uaf issue when psi trigger is destroyed while being polled

5 (5)

2022/01/11 07:16

Re: [syzbot] KASAN: use-after-free Read in remove_wait_queue (3)

14 (14)

2022/01/11 03:02

[syzbot] KASAN: use-after-free Read in remove_wait_queue (3)

0 (2)

2021/12/10 22:42

Kernel	Title	Repro	Fix bisect	Count	Last	Reported	Patched	Status
linux-4.14	KASAN: use-after-free Read in remove_wait_queue (2)	C	error	7	785d	1481d	0/1	upstream: reported C repro on 2020/04/07 06:03
upstream	KASAN: use-after-free Read in remove_wait_queue (2) fs	C		4	2239d	2249d	5/26	fixed on 2018/06/07 13:52
android-49	KASAN: use-after-free Read in remove_wait_queue	C		6	2256d	2266d	2/3	fixed on 2018/03/05 12:02
linux-4.14	KASAN: use-after-free Read in remove_wait_queue			1	1705d	1705d	0/1	auto-closed as invalid on 2019/12/24 15:10
upstream	KASAN: use-after-free Read in remove_wait_queue fs	C		7	2256d	2265d	4/26	fixed on 2018/02/26 20:04
linux-4.19	BUG: corrupted list in remove_wait_queue	C		31139	417d	1843d	0/1	upstream: reported C repro on 2019/04/10 16:06
upstream	KASAN: slab-use-after-free Read in remove_wait_queue usb input			3	308d	310d	0/26	auto-obsoleted due to no activity on 2023/10/01 17:55

================================================================== BUG: KASAN: use-after-free in __lock_acquire+0x3d86/0x54a0 kernel/locking/lockdep.c:4897 Read of size 8 at addr ffff888011a36840 by task syz-executor048/3599 CPU: 0 PID: 3599 Comm: syz-executor048 Not tainted 5.16.0-rc5-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_address_description.constprop.0.cold+0x8d/0x320 mm/kasan/report.c:247 __kasan_report mm/kasan/report.c:433 [inline] kasan_report.cold+0x83/0xdf mm/kasan/report.c:450 __lock_acquire+0x3d86/0x54a0 kernel/locking/lockdep.c:4897 lock_acquire kernel/locking/lockdep.c:5637 [inline] lock_acquire+0x1ab/0x510 kernel/locking/lockdep.c:5602 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0x39/0x50 kernel/locking/spinlock.c:162 remove_wait_queue+0x1d/0x180 kernel/sched/wait.c:55 ep_remove_wait_queue+0x88/0x1a0 fs/eventpoll.c:545 ep_unregister_pollwait fs/eventpoll.c:561 [inline] ep_remove+0x106/0x9c0 fs/eventpoll.c:690 eventpoll_release_file+0xe1/0x130 fs/eventpoll.c:923 eventpoll_release include/linux/eventpoll.h:53 [inline] __fput+0x87b/0x9f0 fs/file_table.c:271 task_work_run+0xdd/0x1a0 kernel/task_work.c:164 tracehook_notify_resume include/linux/tracehook.h:189 [inline] exit_to_user_mode_loop kernel/entry/common.c:175 [inline] exit_to_user_mode_prepare+0x27e/0x290 kernel/entry/common.c:207 __syscall_exit_to_user_mode_work kernel/entry/common.c:289 [inline] syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:300 do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7fe98399eef3 Code: c7 c2 c0 ff ff ff f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb ba 0f 1f 00 64 8b 04 25 18 00 00 00 85 c0 75 14 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 45 c3 0f 1f 40 00 48 83 ec 18 89 7c 24 0c e8 RSP: 002b:00007ffe94b8f958 EFLAGS: 00000246 ORIG_RAX: 0000000000000003 RAX: 0000000000000000 RBX: 0000000000000005 RCX: 00007fe98399eef3 RDX: 000000000000002f RSI: 0000000020001340 RDI: 0000000000000004 RBP: 0000000000000000 R08: 0000000000000014 R09: 00007ffe94b8f980 R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffe94b8f97c R13: 00007ffe94b8f990 R14: 00007ffe94b8f9d0 R15: 0000000000000000 </TASK> Allocated by task 3599: kasan_save_stack+0x1e/0x50 mm/kasan/common.c:38 kasan_set_track mm/kasan/common.c:46 [inline] set_alloc_info mm/kasan/common.c:434 [inline] ____kasan_kmalloc mm/kasan/common.c:513 [inline] ____kasan_kmalloc mm/kasan/common.c:472 [inline] __kasan_kmalloc+0xa9/0xd0 mm/kasan/common.c:522 kmalloc include/linux/slab.h:590 [inline] psi_trigger_create.part.0+0x15e/0x7f0 kernel/sched/psi.c:1141 cgroup_pressure_write+0x15d/0x6b0 kernel/cgroup/cgroup.c:3645 cgroup_file_write+0x1ec/0x780 kernel/cgroup/cgroup.c:3852 kernfs_fop_write_iter+0x342/0x500 fs/kernfs/file.c:296 call_write_iter include/linux/fs.h:2162 [inline] new_sync_write+0x429/0x660 fs/read_write.c:503 vfs_write+0x7cd/0xae0 fs/read_write.c:590 ksys_write+0x12d/0x250 fs/read_write.c:643 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae Freed by task 3599: kasan_save_stack+0x1e/0x50 mm/kasan/common.c:38 kasan_set_track+0x21/0x30 mm/kasan/common.c:46 kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:370 ____kasan_slab_free mm/kasan/common.c:366 [inline] ____kasan_slab_free mm/kasan/common.c:328 [inline] __kasan_slab_free+0xff/0x130 mm/kasan/common.c:374 kasan_slab_free include/linux/kasan.h:235 [inline] slab_free_hook mm/slub.c:1723 [inline] slab_free_freelist_hook+0x8b/0x1c0 mm/slub.c:1749 slab_free mm/slub.c:3513 [inline] kfree+0xf6/0x560 mm/slub.c:4561 cgroup_pressure_write+0x18d/0x6b0 kernel/cgroup/cgroup.c:3651 cgroup_file_write+0x1ec/0x780 kernel/cgroup/cgroup.c:3852 kernfs_fop_write_iter+0x342/0x500 fs/kernfs/file.c:296 call_write_iter include/linux/fs.h:2162 [inline] new_sync_write+0x429/0x660 fs/read_write.c:503 vfs_write+0x7cd/0xae0 fs/read_write.c:590 ksys_write+0x12d/0x250 fs/read_write.c:643 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae The buggy address belongs to the object at ffff888011a36800 which belongs to the cache kmalloc-192 of size 192 The buggy address is located 64 bytes inside of 192-byte region [ffff888011a36800, ffff888011a368c0) The buggy address belongs to the page: page:ffffea0000468d80 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11a36 flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000200 0000000000000000 dead000000000001 ffff888010c41a00 raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x0(), pid 1, ts 1906309021, free_ts 0 create_dummy_stack mm/page_owner.c:59 [inline] register_early_stack+0x66/0xb0 mm/page_owner.c:75 init_page_owner mm/page_owner.c:85 [inline] init_page_owner+0x4e/0x920 mm/page_owner.c:78 invoke_init_callbacks mm/page_ext.c:108 [inline] page_ext_init+0x4c9/0x4dc mm/page_ext.c:415 kernel_init_freeable+0x48b/0x73a init/main.c:1608 page_owner free stack trace missing Memory state around the buggy address: ffff888011a36700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff888011a36780: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff888011a36800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888011a36880: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff888011a36900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ==================================================================

Crashes (123):
Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	VM info	Assets (help?)	Manager	Title
2021/12/13 16:03	upstream	2585cf9dfaad	49ca1f59	.config	console log	report	syz	C			ci-upstream-kasan-gce	KASAN: use-after-free Read in remove_wait_queue
2021/12/11 02:00	net-old	92816e262980	49ca1f59	.config	console log	report	syz	C			ci-upstream-net-this-kasan-gce	KASAN: use-after-free Read in remove_wait_queue
2021/12/10 22:41	net-next-old	e5d75fc20b92	49ca1f59	.config	console log	report	syz	C			ci-upstream-net-kasan-gce	KASAN: use-after-free Read in remove_wait_queue
2023/01/13 11:42	linux-next	0a093b2893c7	96166539	.config	console log	report	syz	C		[disk image] [vmlinux] [kernel image]	ci-upstream-linux-next-kasan-gce-root	KASAN: use-after-free Read in remove_wait_queue
2022/06/05 05:42	upstream	952923ddc011	c8857892	.config	console log	report			info		ci-upstream-kasan-gce-root	KASAN: use-after-free Read in remove_wait_queue
2022/01/20 09:36	upstream	1d1df41c5a33	5da9499f	.config	console log	report			info		ci-upstream-kasan-gce-selinux-root	KASAN: use-after-free Read in remove_wait_queue
2022/01/16 10:20	upstream	d0a231f01e5b	723cfaf0	.config	console log	report			info		ci-upstream-kasan-gce	KASAN: use-after-free Read in remove_wait_queue
2021/12/30 22:17	upstream	eec4df26e24e	2e49f10d	.config	console log	report			info		ci-upstream-kasan-gce-smack-root	KASAN: use-after-free Read in remove_wait_queue
2022/01/10 11:10	upstream	e900deb24820	2ca0d385	.config	console log	report			info		ci-upstream-kasan-gce-386	KASAN: use-after-free Read in remove_wait_queue
2022/01/22 20:39	net-old	afa114d987c4	214351e1	.config	console log	report			info		ci-upstream-net-this-kasan-gce	KASAN: use-after-free Read in remove_wait_queue
2022/01/22 03:08	net-old	67ab55956e64	214351e1	.config	console log	report			info		ci-upstream-net-this-kasan-gce	KASAN: use-after-free Read in remove_wait_queue
2022/01/20 22:10	net-old	fa2e1ba3e9e3	b838eb76	.config	console log	report			info		ci-upstream-net-this-kasan-gce	KASAN: use-after-free Read in remove_wait_queue
2022/01/17 19:59	net-old	9ea674d7ca4f	731a2d23	.config	console log	report			info		ci-upstream-net-this-kasan-gce	KASAN: use-after-free Read in remove_wait_queue
2022/01/17 15:03	net-old	429e3d123d9a	731a2d23	.config	console log	report			info		ci-upstream-net-this-kasan-gce	KASAN: use-after-free Read in remove_wait_queue
2022/01/27 07:08	net-next-old	40cd4f1550d0	2cbffd88	.config	console log	report			info		ci-upstream-net-kasan-gce	KASAN: use-after-free Read in remove_wait_queue
2022/01/26 21:40	net-next-old	ab14f1802cfb	2cbffd88	.config	console log	report			info		ci-upstream-net-kasan-gce	KASAN: use-after-free Read in remove_wait_queue
2022/01/25 15:03	net-next-old	53243d412ec5	2cbffd88	.config	console log	report			info		ci-upstream-net-kasan-gce	KASAN: use-after-free Read in remove_wait_queue
2022/01/25 05:29	net-next-old	de8a820df2ac	2cbffd88	.config	console log	report			info		ci-upstream-net-kasan-gce	KASAN: use-after-free Read in remove_wait_queue
2022/01/25 02:50	net-next-old	de8a820df2ac	2cbffd88	.config	console log	report			info		ci-upstream-net-kasan-gce	KASAN: use-after-free Read in remove_wait_queue
2022/01/24 22:08	net-next-old	de8a820df2ac	2cbffd88	.config	console log	report			info		ci-upstream-net-kasan-gce	KASAN: use-after-free Read in remove_wait_queue
2022/01/21 01:20	net-next-old	fe8152b38d3a	b838eb76	.config	console log	report			info		ci-upstream-net-kasan-gce	KASAN: use-after-free Read in remove_wait_queue
2022/01/19 18:56	net-next-old	fe8152b38d3a	0620189b	.config	console log	report			info		ci-upstream-net-kasan-gce	KASAN: use-after-free Read in remove_wait_queue
2022/01/19 17:03	net-next-old	fe8152b38d3a	0620189b	.config	console log	report			info		ci-upstream-net-kasan-gce	KASAN: use-after-free Read in remove_wait_queue
2022/01/19 15:09	net-next-old	fe8152b38d3a	0620189b	.config	console log	report			info		ci-upstream-net-kasan-gce	KASAN: use-after-free Read in remove_wait_queue
2022/01/19 12:10	net-next-old	fe8152b38d3a	0620189b	.config	console log	report			info		ci-upstream-net-kasan-gce	KASAN: use-after-free Read in remove_wait_queue
2022/01/19 10:45	net-next-old	fe8152b38d3a	0620189b	.config	console log	report			info		ci-upstream-net-kasan-gce	KASAN: use-after-free Read in remove_wait_queue
2022/01/18 23:40	net-next-old	fe8152b38d3a	731a2d23	.config	console log	report			info		ci-upstream-net-kasan-gce	KASAN: use-after-free Read in remove_wait_queue
2022/01/18 16:31	net-next-old	fe8152b38d3a	731a2d23	.config	console log	report			info		ci-upstream-net-kasan-gce	KASAN: use-after-free Read in remove_wait_queue
2022/01/17 17:40	net-next-old	fe8152b38d3a	731a2d23	.config	console log	report			info		ci-upstream-net-kasan-gce	KASAN: use-after-free Read in remove_wait_queue
2022/01/17 02:15	net-next-old	fe8152b38d3a	723cfaf0	.config	console log	report			info		ci-upstream-net-kasan-gce	KASAN: use-after-free Read in remove_wait_queue
2022/01/17 00:52	net-next-old	fe8152b38d3a	723cfaf0	.config	console log	report			info		ci-upstream-net-kasan-gce	KASAN: use-after-free Read in remove_wait_queue
2022/01/16 17:30	net-next-old	fe8152b38d3a	723cfaf0	.config	console log	report			info		ci-upstream-net-kasan-gce	KASAN: use-after-free Read in remove_wait_queue
2022/01/15 14:33	net-next-old	fe8152b38d3a	723cfaf0	.config	console log	report			info		ci-upstream-net-kasan-gce	KASAN: use-after-free Read in remove_wait_queue
2022/01/15 09:23	net-next-old	fe8152b38d3a	723cfaf0	.config	console log	report			info		ci-upstream-net-kasan-gce	KASAN: use-after-free Read in remove_wait_queue
2022/01/14 20:02	net-next-old	fe8152b38d3a	53e00b45	.config	console log	report			info		ci-upstream-net-kasan-gce	KASAN: use-after-free Read in remove_wait_queue
2022/01/14 15:34	net-next-old	fe8152b38d3a	53e00b45	.config	console log	report			info		ci-upstream-net-kasan-gce	KASAN: use-after-free Read in remove_wait_queue
2022/01/14 14:29	net-next-old	fe8152b38d3a	b8d780ab	.config	console log	report			info		ci-upstream-net-kasan-gce	KASAN: use-after-free Read in remove_wait_queue
2022/01/14 05:44	net-next-old	fe8152b38d3a	b8d780ab	.config	console log	report			info		ci-upstream-net-kasan-gce	KASAN: use-after-free Read in remove_wait_queue
2022/01/14 00:37	net-next-old	fe8152b38d3a	b8d780ab	.config	console log	report			info		ci-upstream-net-kasan-gce	KASAN: use-after-free Read in remove_wait_queue
2022/01/13 22:38	net-next-old	fe8152b38d3a	b8d780ab	.config	console log	report			info		ci-upstream-net-kasan-gce	KASAN: use-after-free Read in remove_wait_queue
2022/01/13 17:40	net-next-old	fe8152b38d3a	44d1319a	.config	console log	report			info		ci-upstream-net-kasan-gce	KASAN: use-after-free Read in remove_wait_queue
2022/01/13 16:33	net-next-old	fe8152b38d3a	44d1319a	.config	console log	report			info		ci-upstream-net-kasan-gce	KASAN: use-after-free Read in remove_wait_queue
2022/01/13 15:03	net-next-old	fe8152b38d3a	44d1319a	.config	console log	report			info		ci-upstream-net-kasan-gce	KASAN: use-after-free Read in remove_wait_queue
2022/01/13 09:29	net-next-old	fe8152b38d3a	44d1319a	.config	console log	report			info		ci-upstream-net-kasan-gce	KASAN: use-after-free Read in remove_wait_queue
2022/01/13 06:51	net-next-old	fe8152b38d3a	44d1319a	.config	console log	report			info		ci-upstream-net-kasan-gce	KASAN: use-after-free Read in remove_wait_queue
2021/11/11 21:09	net-next-old	cc0356d6a02e	75b04091	.config	console log	report			info		ci-upstream-net-kasan-gce	KASAN: use-after-free Read in remove_wait_queue
2023/01/16 04:30	linux-next	0a093b2893c7	a63719e7	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci-upstream-linux-next-kasan-gce-root	KASAN: use-after-free Read in remove_wait_queue
2023/01/15 02:34	linux-next	0a093b2893c7	a63719e7	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci-upstream-linux-next-kasan-gce-root	KASAN: use-after-free Read in remove_wait_queue
2023/01/12 13:06	linux-next	0a093b2893c7	96166539	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci-upstream-linux-next-kasan-gce-root	KASAN: use-after-free Read in remove_wait_queue
2023/01/12 11:13	linux-next	0a093b2893c7	96166539	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci-upstream-linux-next-kasan-gce-root	KASAN: use-after-free Read in remove_wait_queue
2023/01/12 09:57	linux-next	0a093b2893c7	96166539	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci-upstream-linux-next-kasan-gce-root	KASAN: use-after-free Read in remove_wait_queue
2023/01/12 08:11	linux-next	0a093b2893c7	96166539	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci-upstream-linux-next-kasan-gce-root	KASAN: use-after-free Read in remove_wait_queue
2023/01/12 07:01	linux-next	0a093b2893c7	96166539	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci-upstream-linux-next-kasan-gce-root	KASAN: use-after-free Read in remove_wait_queue
2022/07/31 01:04	https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing	8288c99fc263	fef302b1	.config	console log	report			info		ci2-upstream-usb	KASAN: use-after-free Read in remove_wait_queue
2022/06/04 23:18	linux-next	1cfd968b58a1	c8857892	.config	console log	report			info		ci-upstream-linux-next-kasan-gce-root	KASAN: use-after-free Read in remove_wait_queue

Crashes (123):

Assets (help?)

2021/12/13 16:03

upstream