syzbot

 sign-in | mailing list | source | docs
🐞 Open [1646]
Subsystems
🐞 Fixed [6009]
🐞 Invalid [14804]
Missing Backports [135]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
Total Repo Heatmap Subsystems Heatmap
💬 Send us feedback

KASAN: use-after-free Read in remove_wait_queue (3)

Status: fixed on 2023/02/24 13:50
Subsystems: kernfs
[Documentation on labels]
Reported-by: syzbot+cdb5dd11c97cc532efad@syzkaller.appspotmail.com
Fix commit: a06247c6804f psi: Fix uaf issue when psi trigger is destroyed while being polled
First crash: 1174d, last: 743d
Cause bisection: the issue happens on the oldest tested release (bisect log)
Crash: KASAN: use-after-free Read in remove_wait_queue (log)
Repro: C syz .config
  
Discussions (9)
Title Replies (including bot) Last reply
[PATCH 5.16 000/200] 5.16.5-rc1 review 218 (218) 2022/02/14 15:34
[PATCH 5.10 00/25] 5.10.97-rc1 review 41 (41) 2022/02/05 14:30
[PATCH 5.4 00/10] 5.4.177-rc1 review 17 (17) 2022/02/05 14:28
[PATCH 5.15 000/171] 5.15.19-rc1 review 181 (181) 2022/02/02 00:26
[PATCH v3 1/1] psi: Fix uaf issue when psi trigger is destroyed while being polled 15 (15) 2022/01/18 11:18
[PATCH v2 1/1] psi: Fix uaf issue when psi trigger is destroyed while being polled 12 (12) 2022/01/18 06:58
[PATCH 1/1] psi: Fix uaf issue when psi trigger is destroyed while being polled 5 (5) 2022/01/11 07:16
Re: [syzbot] KASAN: use-after-free Read in remove_wait_queue (3) 14 (14) 2022/01/11 03:02
[syzbot] KASAN: use-after-free Read in remove_wait_queue (3) 0 (2) 2021/12/10 22:42
Similar bugs (8)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.14 KASAN: use-after-free Read in remove_wait_queue (2) C error 7 1061d 1757d 0/1 upstream: reported C repro on 2020/04/07 06:03
upstream KASAN: use-after-free Read in remove_wait_queue (2) fs C 4 2516d 2526d 5/28 fixed on 2018/06/07 13:52
android-49 KASAN: use-after-free Read in remove_wait_queue C 6 2533d 2543d 2/3 fixed on 2018/03/05 12:02
linux-4.14 KASAN: use-after-free Read in remove_wait_queue 1 1982d 1982d 0/1 auto-closed as invalid on 2019/12/24 15:10
upstream KASAN: use-after-free Read in remove_wait_queue fs C 7 2532d 2542d 4/28 fixed on 2018/02/26 20:04
linux-4.19 BUG: corrupted list in remove_wait_queue C 31139 693d 2120d 0/1 upstream: reported C repro on 2019/04/10 16:06
upstream KASAN: slab-use-after-free Read in remove_wait_queue usb input 3 585d 586d 0/28 auto-obsoleted due to no activity on 2023/10/01 17:55
upstream BUG: corrupted list in remove_wait_queue (2) fs C 7 9d06h 6d00h 0/28 upstream: reported C repro on 2025/01/22 23:27

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in __lock_acquire+0x3d86/0x54a0 kernel/locking/lockdep.c:4897
Read of size 8 at addr ffff888011a36840 by task syz-executor048/3599

CPU: 0 PID: 3599 Comm: syz-executor048 Not tainted 5.16.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
 print_address_description.constprop.0.cold+0x8d/0x320 mm/kasan/report.c:247
 __kasan_report mm/kasan/report.c:433 [inline]
 kasan_report.cold+0x83/0xdf mm/kasan/report.c:450
 __lock_acquire+0x3d86/0x54a0 kernel/locking/lockdep.c:4897
 lock_acquire kernel/locking/lockdep.c:5637 [inline]
 lock_acquire+0x1ab/0x510 kernel/locking/lockdep.c:5602
 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
 _raw_spin_lock_irqsave+0x39/0x50 kernel/locking/spinlock.c:162
 remove_wait_queue+0x1d/0x180 kernel/sched/wait.c:55
 ep_remove_wait_queue+0x88/0x1a0 fs/eventpoll.c:545
 ep_unregister_pollwait fs/eventpoll.c:561 [inline]
 ep_remove+0x106/0x9c0 fs/eventpoll.c:690
 eventpoll_release_file+0xe1/0x130 fs/eventpoll.c:923
 eventpoll_release include/linux/eventpoll.h:53 [inline]
 __fput+0x87b/0x9f0 fs/file_table.c:271
 task_work_run+0xdd/0x1a0 kernel/task_work.c:164
 tracehook_notify_resume include/linux/tracehook.h:189 [inline]
 exit_to_user_mode_loop kernel/entry/common.c:175 [inline]
 exit_to_user_mode_prepare+0x27e/0x290 kernel/entry/common.c:207
 __syscall_exit_to_user_mode_work kernel/entry/common.c:289 [inline]
 syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:300
 do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7fe98399eef3
Code: c7 c2 c0 ff ff ff f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb ba 0f 1f 00 64 8b 04 25 18 00 00 00 85 c0 75 14 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 45 c3 0f 1f 40 00 48 83 ec 18 89 7c 24 0c e8
RSP: 002b:00007ffe94b8f958 EFLAGS: 00000246 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000005 RCX: 00007fe98399eef3
RDX: 000000000000002f RSI: 0000000020001340 RDI: 0000000000000004
RBP: 0000000000000000 R08: 0000000000000014 R09: 00007ffe94b8f980
R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffe94b8f97c
R13: 00007ffe94b8f990 R14: 00007ffe94b8f9d0 R15: 0000000000000000
 </TASK>

Allocated by task 3599:
 kasan_save_stack+0x1e/0x50 mm/kasan/common.c:38
 kasan_set_track mm/kasan/common.c:46 [inline]
 set_alloc_info mm/kasan/common.c:434 [inline]
 ____kasan_kmalloc mm/kasan/common.c:513 [inline]
 ____kasan_kmalloc mm/kasan/common.c:472 [inline]
 __kasan_kmalloc+0xa9/0xd0 mm/kasan/common.c:522
 kmalloc include/linux/slab.h:590 [inline]
 psi_trigger_create.part.0+0x15e/0x7f0 kernel/sched/psi.c:1141
 cgroup_pressure_write+0x15d/0x6b0 kernel/cgroup/cgroup.c:3645
 cgroup_file_write+0x1ec/0x780 kernel/cgroup/cgroup.c:3852
 kernfs_fop_write_iter+0x342/0x500 fs/kernfs/file.c:296
 call_write_iter include/linux/fs.h:2162 [inline]
 new_sync_write+0x429/0x660 fs/read_write.c:503
 vfs_write+0x7cd/0xae0 fs/read_write.c:590
 ksys_write+0x12d/0x250 fs/read_write.c:643
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae

Freed by task 3599:
 kasan_save_stack+0x1e/0x50 mm/kasan/common.c:38
 kasan_set_track+0x21/0x30 mm/kasan/common.c:46
 kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:370
 ____kasan_slab_free mm/kasan/common.c:366 [inline]
 ____kasan_slab_free mm/kasan/common.c:328 [inline]
 __kasan_slab_free+0xff/0x130 mm/kasan/common.c:374
 kasan_slab_free include/linux/kasan.h:235 [inline]
 slab_free_hook mm/slub.c:1723 [inline]
 slab_free_freelist_hook+0x8b/0x1c0 mm/slub.c:1749
 slab_free mm/slub.c:3513 [inline]
 kfree+0xf6/0x560 mm/slub.c:4561
 cgroup_pressure_write+0x18d/0x6b0 kernel/cgroup/cgroup.c:3651
 cgroup_file_write+0x1ec/0x780 kernel/cgroup/cgroup.c:3852
 kernfs_fop_write_iter+0x342/0x500 fs/kernfs/file.c:296
 call_write_iter include/linux/fs.h:2162 [inline]
 new_sync_write+0x429/0x660 fs/read_write.c:503
 vfs_write+0x7cd/0xae0 fs/read_write.c:590
 ksys_write+0x12d/0x250 fs/read_write.c:643
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae

The buggy address belongs to the object at ffff888011a36800
 which belongs to the cache kmalloc-192 of size 192
The buggy address is located 64 bytes inside of
 192-byte region [ffff888011a36800, ffff888011a368c0)
The buggy address belongs to the page:
page:ffffea0000468d80 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11a36
flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000200 0000000000000000 dead000000000001 ffff888010c41a00
raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x0(), pid 1, ts 1906309021, free_ts 0
 create_dummy_stack mm/page_owner.c:59 [inline]
 register_early_stack+0x66/0xb0 mm/page_owner.c:75
 init_page_owner mm/page_owner.c:85 [inline]
 init_page_owner+0x4e/0x920 mm/page_owner.c:78
 invoke_init_callbacks mm/page_ext.c:108 [inline]
 page_ext_init+0x4c9/0x4dc mm/page_ext.c:415
 kernel_init_freeable+0x48b/0x73a init/main.c:1608
page_owner free stack trace missing

Memory state around the buggy address:
 ffff888011a36700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff888011a36780: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff888011a36800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                           ^
 ffff888011a36880: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff888011a36900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================

Crashes (123):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2021/12/13 16:03 upstream 2585cf9dfaad 49ca1f59 .config console log report syz C ci-upstream-kasan-gce KASAN: use-after-free Read in remove_wait_queue
2021/12/11 02:00 net-old 92816e262980 49ca1f59 .config console log report syz C ci-upstream-net-this-kasan-gce KASAN: use-after-free Read in remove_wait_queue
2021/12/10 22:41 net-next-old e5d75fc20b92 49ca1f59 .config console log report syz C ci-upstream-net-kasan-gce KASAN: use-after-free Read in remove_wait_queue
2023/01/13 11:42 linux-next 0a093b2893c7 96166539 .config console log report syz C [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: use-after-free Read in remove_wait_queue
2022/06/05 05:42 upstream 952923ddc011 c8857892 .config console log report info ci-upstream-kasan-gce-root KASAN: use-after-free Read in remove_wait_queue
2022/01/20 09:36 upstream 1d1df41c5a33 5da9499f .config console log report info ci-upstream-kasan-gce-selinux-root KASAN: use-after-free Read in remove_wait_queue
2022/01/16 10:20 upstream d0a231f01e5b 723cfaf0 .config console log report info ci-upstream-kasan-gce KASAN: use-after-free Read in remove_wait_queue
2021/12/30 22:17 upstream eec4df26e24e 2e49f10d .config console log report info ci-upstream-kasan-gce-smack-root KASAN: use-after-free Read in remove_wait_queue
2022/01/10 11:10 upstream e900deb24820 2ca0d385 .config console log report info ci-upstream-kasan-gce-386 KASAN: use-after-free Read in remove_wait_queue
2022/01/22 20:39 net-old afa114d987c4 214351e1 .config console log report info ci-upstream-net-this-kasan-gce KASAN: use-after-free Read in remove_wait_queue
2022/01/22 03:08 net-old 67ab55956e64 214351e1 .config console log report info ci-upstream-net-this-kasan-gce KASAN: use-after-free Read in remove_wait_queue
2022/01/20 22:10 net-old fa2e1ba3e9e3 b838eb76 .config console log report info ci-upstream-net-this-kasan-gce KASAN: use-after-free Read in remove_wait_queue
2022/01/17 19:59 net-old 9ea674d7ca4f 731a2d23 .config console log report info ci-upstream-net-this-kasan-gce KASAN: use-after-free Read in remove_wait_queue
2022/01/17 15:03 net-old 429e3d123d9a 731a2d23 .config console log report info ci-upstream-net-this-kasan-gce KASAN: use-after-free Read in remove_wait_queue
2022/01/27 07:08 net-next-old 40cd4f1550d0 2cbffd88 .config console log report info ci-upstream-net-kasan-gce KASAN: use-after-free Read in remove_wait_queue
2022/01/26 21:40 net-next-old ab14f1802cfb 2cbffd88 .config console log report info ci-upstream-net-kasan-gce KASAN: use-after-free Read in remove_wait_queue
2022/01/25 15:03 net-next-old 53243d412ec5 2cbffd88 .config console log report info ci-upstream-net-kasan-gce KASAN: use-after-free Read in remove_wait_queue
2022/01/25 05:29 net-next-old de8a820df2ac 2cbffd88 .config console log report info ci-upstream-net-kasan-gce KASAN: use-after-free Read in remove_wait_queue
2022/01/25 02:50 net-next-old de8a820df2ac 2cbffd88 .config console log report info ci-upstream-net-kasan-gce KASAN: use-after-free Read in remove_wait_queue
2022/01/24 22:08 net-next-old de8a820df2ac 2cbffd88 .config console log report info ci-upstream-net-kasan-gce KASAN: use-after-free Read in remove_wait_queue
2022/01/21 01:20 net-next-old fe8152b38d3a b838eb76 .config console log report info ci-upstream-net-kasan-gce KASAN: use-after-free Read in remove_wait_queue
2022/01/19 18:56 net-next-old fe8152b38d3a 0620189b .config console log report info ci-upstream-net-kasan-gce KASAN: use-after-free Read in remove_wait_queue
2022/01/19 17:03 net-next-old fe8152b38d3a 0620189b .config console log report info ci-upstream-net-kasan-gce KASAN: use-after-free Read in remove_wait_queue
2022/01/19 15:09 net-next-old fe8152b38d3a 0620189b .config console log report info ci-upstream-net-kasan-gce KASAN: use-after-free Read in remove_wait_queue
2022/01/19 12:10 net-next-old fe8152b38d3a 0620189b .config console log report info ci-upstream-net-kasan-gce KASAN: use-after-free Read in remove_wait_queue
2022/01/19 10:45 net-next-old fe8152b38d3a 0620189b .config console log report info ci-upstream-net-kasan-gce KASAN: use-after-free Read in remove_wait_queue
2022/01/18 23:40 net-next-old fe8152b38d3a 731a2d23 .config console log report info ci-upstream-net-kasan-gce KASAN: use-after-free Read in remove_wait_queue
2022/01/18 16:31 net-next-old fe8152b38d3a 731a2d23 .config console log report info ci-upstream-net-kasan-gce KASAN: use-after-free Read in remove_wait_queue
2022/01/17 17:40 net-next-old fe8152b38d3a 731a2d23 .config console log report info ci-upstream-net-kasan-gce KASAN: use-after-free Read in remove_wait_queue
2022/01/17 02:15 net-next-old fe8152b38d3a 723cfaf0 .config console log report info ci-upstream-net-kasan-gce KASAN: use-after-free Read in remove_wait_queue
2022/01/17 00:52 net-next-old fe8152b38d3a 723cfaf0 .config console log report info ci-upstream-net-kasan-gce KASAN: use-after-free Read in remove_wait_queue
2022/01/16 17:30 net-next-old fe8152b38d3a 723cfaf0 .config console log report info ci-upstream-net-kasan-gce KASAN: use-after-free Read in remove_wait_queue
2022/01/15 14:33 net-next-old fe8152b38d3a 723cfaf0 .config console log report info ci-upstream-net-kasan-gce KASAN: use-after-free Read in remove_wait_queue
2022/01/15 09:23 net-next-old fe8152b38d3a 723cfaf0 .config console log report info ci-upstream-net-kasan-gce KASAN: use-after-free Read in remove_wait_queue
2022/01/14 20:02 net-next-old fe8152b38d3a 53e00b45 .config console log report info ci-upstream-net-kasan-gce KASAN: use-after-free Read in remove_wait_queue
2022/01/14 15:34 net-next-old fe8152b38d3a 53e00b45 .config console log report info ci-upstream-net-kasan-gce KASAN: use-after-free Read in remove_wait_queue
2022/01/14 14:29 net-next-old fe8152b38d3a b8d780ab .config console log report info ci-upstream-net-kasan-gce KASAN: use-after-free Read in remove_wait_queue
2022/01/14 05:44 net-next-old fe8152b38d3a b8d780ab .config console log report info ci-upstream-net-kasan-gce KASAN: use-after-free Read in remove_wait_queue
2022/01/14 00:37 net-next-old fe8152b38d3a b8d780ab .config console log report info ci-upstream-net-kasan-gce KASAN: use-after-free Read in remove_wait_queue
2022/01/13 22:38 net-next-old fe8152b38d3a b8d780ab .config console log report info ci-upstream-net-kasan-gce KASAN: use-after-free Read in remove_wait_queue
2022/01/13 17:40 net-next-old fe8152b38d3a 44d1319a .config console log report info ci-upstream-net-kasan-gce KASAN: use-after-free Read in remove_wait_queue
2022/01/13 16:33 net-next-old fe8152b38d3a 44d1319a .config console log report info ci-upstream-net-kasan-gce KASAN: use-after-free Read in remove_wait_queue
2022/01/13 15:03 net-next-old fe8152b38d3a 44d1319a .config console log report info ci-upstream-net-kasan-gce KASAN: use-after-free Read in remove_wait_queue
2022/01/13 09:29 net-next-old fe8152b38d3a 44d1319a .config console log report info ci-upstream-net-kasan-gce KASAN: use-after-free Read in remove_wait_queue
2022/01/13 06:51 net-next-old fe8152b38d3a 44d1319a .config console log report info ci-upstream-net-kasan-gce KASAN: use-after-free Read in remove_wait_queue
2021/11/11 21:09 net-next-old cc0356d6a02e 75b04091 .config console log report info ci-upstream-net-kasan-gce KASAN: use-after-free Read in remove_wait_queue
2023/01/16 04:30 linux-next 0a093b2893c7 a63719e7 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: use-after-free Read in remove_wait_queue
2023/01/15 02:34 linux-next 0a093b2893c7 a63719e7 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: use-after-free Read in remove_wait_queue
2023/01/12 13:06 linux-next 0a093b2893c7 96166539 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: use-after-free Read in remove_wait_queue
2023/01/12 11:13 linux-next 0a093b2893c7 96166539 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: use-after-free Read in remove_wait_queue
2023/01/12 09:57 linux-next 0a093b2893c7 96166539 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: use-after-free Read in remove_wait_queue
2023/01/12 08:11 linux-next 0a093b2893c7 96166539 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: use-after-free Read in remove_wait_queue
2023/01/12 07:01 linux-next 0a093b2893c7 96166539 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: use-after-free Read in remove_wait_queue
2022/07/31 01:04 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing 8288c99fc263 fef302b1 .config console log report info ci2-upstream-usb KASAN: use-after-free Read in remove_wait_queue
2022/06/04 23:18 linux-next 1cfd968b58a1 c8857892 .config console log report info ci-upstream-linux-next-kasan-gce-root KASAN: use-after-free Read in remove_wait_queue
* Struck through repros no longer work on HEAD.