syzbot


KASAN: use-after-free Read in kernfs_get

Status: auto-obsoleted due to no activity on 2023/05/20 22:47
Reported-by: syzbot+2165a0748e72cbc7f2df@syzkaller.appspotmail.com
First crash: 764d, last: 640d
Similar bugs (8)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: use-after-free Read in kernfs_get kernfs 8 861d 983d 0/28 auto-obsoleted due to no activity on 2022/11/11 09:18
android-5-15 KASAN: use-after-free Read in kernfs_get (2) 7 11d 129d 0/2 premoderation: reported on 2024/07/15 05:15
upstream KASAN: use-after-free Read in kernfs_get (2) kernfs 2 643d 730d 0/28 auto-obsoleted due to no activity on 2023/06/16 19:32
android-6-1 KASAN: use-after-free Read in kernfs_get 2 100d 145d 0/2 auto-obsoleted due to no activity on 2024/11/11 11:50
linux-5.15 KASAN: use-after-free Read in kernfs_get 1 98d 98d 0/3 upstream: reported on 2024/08/15 10:42
android-6-1 KASAN: use-after-free Write in kernfs_get 1 2d00h 2d00h 0/2 premoderation: reported on 2024/11/19 13:51
upstream KASAN: slab-use-after-free Read in kernfs_get kernfs 1 279d 279d 0/28 auto-obsoleted due to no activity on 2024/05/26 00:41
android-5-15 KASAN: use-after-free Write in kernfs_get 3 395d 482d 0/2 auto-obsoleted due to no activity on 2024/01/21 14:31

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in instrument_atomic_read include/linux/instrumented.h:71 [inline]
BUG: KASAN: use-after-free in atomic_read include/linux/atomic/atomic-instrumented.h:27 [inline]
BUG: KASAN: use-after-free in kernfs_get+0x21/0x90 fs/kernfs/dir.c:504
Read of size 4 at addr ffff88810acf1258 by task kworker/0:16/26472

CPU: 0 PID: 26472 Comm: kworker/0:16 Not tainted 5.15.94-syzkaller-03204-g5448b2fda85f #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/21/2023
Workqueue: events flush_stashed_error_work
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x151/0x1b7 lib/dump_stack.c:106
 print_address_description+0x87/0x3b0 mm/kasan/report.c:248
 __kasan_report mm/kasan/report.c:427 [inline]
 kasan_report+0x179/0x1c0 mm/kasan/report.c:444
 kasan_check_range+0x293/0x2a0 mm/kasan/generic.c:189
 __kasan_check_read+0x11/0x20 mm/kasan/shadow.c:31
 instrument_atomic_read include/linux/instrumented.h:71 [inline]
 atomic_read include/linux/atomic/atomic-instrumented.h:27 [inline]
 kernfs_get+0x21/0x90 fs/kernfs/dir.c:504
 sysfs_notify+0x9a/0xd0 fs/sysfs/file.c:190
 ext4_notify_error_sysfs+0x25/0x30 fs/ext4/sysfs.c:511
 flush_stashed_error_work+0x302/0x320
 process_one_work+0x6bb/0xc10 kernel/workqueue.c:2313
 worker_thread+0xad5/0x12a0 kernel/workqueue.c:2460
 kthread+0x421/0x510 kernel/kthread.c:319
 ret_from_fork+0x1f/0x30 <unknown>:298
 </TASK>

Allocated by task 27536:
 kasan_save_stack mm/kasan/common.c:38 [inline]
 kasan_set_track mm/kasan/common.c:45 [inline]
 set_alloc_info mm/kasan/common.c:433 [inline]
 __kasan_slab_alloc+0xb1/0xe0 mm/kasan/common.c:466
 kasan_slab_alloc include/linux/kasan.h:217 [inline]
 slab_post_alloc_hook+0x53/0x2c0 mm/slab.h:550
 slab_alloc_node mm/slub.c:3238 [inline]
 slab_alloc mm/slub.c:3246 [inline]
 kmem_cache_alloc+0xf5/0x200 mm/slub.c:3251
 kmem_cache_zalloc include/linux/slab.h:728 [inline]
 __kernfs_new_node+0xdb/0x6f0 fs/kernfs/dir.c:593
 kernfs_new_node fs/kernfs/dir.c:655 [inline]
 kernfs_create_dir_ns+0x9b/0x230 fs/kernfs/dir.c:991
 sysfs_create_dir_ns+0x185/0x390 fs/sysfs/dir.c:59
 create_dir lib/kobject.c:89 [inline]
 kobject_add_internal+0x763/0xd90 lib/kobject.c:255
 kobject_add_varg lib/kobject.c:390 [inline]
 kobject_init_and_add+0x120/0x190 lib/kobject.c:473
 ext4_register_sysfs+0xbf/0x2c0 fs/ext4/sysfs.c:524
 ext4_fill_super+0x89d0/0x9680 fs/ext4/super.c:4938
 mount_bdev+0x281/0x3b0 fs/super.c:1369
 ext4_mount+0x34/0x40 fs/ext4/super.c:6564
 legacy_get_tree+0xf1/0x190 fs/fs_context.c:610
 vfs_get_tree+0x88/0x290 fs/super.c:1499
 do_new_mount+0x28b/0xac0 fs/namespace.c:2994
 path_mount+0x671/0x1070 fs/namespace.c:3324
 do_mount fs/namespace.c:3337 [inline]
 __do_sys_mount fs/namespace.c:3545 [inline]
 __se_sys_mount+0x2c4/0x3b0 fs/namespace.c:3522
 __x64_sys_mount+0xbf/0xd0 fs/namespace.c:3522
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x61/0xcb

Freed by task 24052:
 kasan_save_stack mm/kasan/common.c:38 [inline]
 kasan_set_track+0x4b/0x70 mm/kasan/common.c:45
 kasan_set_free_info+0x23/0x40 mm/kasan/generic.c:370
 ____kasan_slab_free+0x126/0x160 mm/kasan/common.c:365
 __kasan_slab_free+0x11/0x20 mm/kasan/common.c:373
 kasan_slab_free include/linux/kasan.h:193 [inline]
 slab_free_hook mm/slub.c:1723 [inline]
 slab_free_freelist_hook+0xbd/0x190 mm/slub.c:1749
 slab_free mm/slub.c:3517 [inline]
 kmem_cache_free+0x116/0x2e0 mm/slub.c:3533
 kernfs_put+0x392/0x520 fs/kernfs/dir.c:547
 sysfs_put include/linux/sysfs.h:641 [inline]
 __kobject_del+0x10f/0x300 lib/kobject.c:621
 kobject_del+0x45/0x60 lib/kobject.c:643
 ext4_unregister_sysfs+0x91/0xa0 fs/ext4/sysfs.c:558
 ext4_put_super+0x80/0xd40 fs/ext4/super.c:1174
 generic_shutdown_super+0x157/0x2e0 fs/super.c:466
 kill_block_super+0x7e/0xe0 fs/super.c:1396
 deactivate_locked_super+0xad/0x110 fs/super.c:335
 deactivate_super+0xbe/0xf0 fs/super.c:366
 cleanup_mnt+0x45c/0x510 fs/namespace.c:1143
 __cleanup_mnt+0x19/0x20 fs/namespace.c:1150
 task_work_run+0x129/0x190 kernel/task_work.c:164
 tracehook_notify_resume include/linux/tracehook.h:189 [inline]
 exit_to_user_mode_loop+0xc4/0xe0 kernel/entry/common.c:175
 exit_to_user_mode_prepare+0x5a/0xa0 kernel/entry/common.c:207
 __syscall_exit_to_user_mode_work kernel/entry/common.c:289 [inline]
 syscall_exit_to_user_mode+0x26/0x160 kernel/entry/common.c:300
 do_syscall_64+0x49/0xb0 arch/x86/entry/common.c:86
 entry_SYSCALL_64_after_hwframe+0x61/0xcb

The buggy address belongs to the object at ffff88810acf1258
 which belongs to the cache kernfs_node_cache of size 136
The buggy address is located 0 bytes inside of
 136-byte region [ffff88810acf1258, ffff88810acf12e0)
The buggy address belongs to the page:
page:ffffea00042b3c40 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10acf1
flags: 0x4000000000000200(slab|zone=1)
raw: 4000000000000200 ffffea0005ccfd40 0000000f0000000f ffff8881001b7800
raw: 0000000000000000 0000000000140014 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x112cc0(GFP_USER|__GFP_NOWARN|__GFP_NORETRY), pid 25423, ts 2426666560912, free_ts 2426534117616
 set_page_owner include/linux/page_owner.h:33 [inline]
 post_alloc_hook+0x1a3/0x1b0 mm/page_alloc.c:2502
 prep_new_page mm/page_alloc.c:2508 [inline]
 get_page_from_freelist+0x2c14/0x2cf0 mm/page_alloc.c:4291
 __alloc_pages+0x386/0x7b0 mm/page_alloc.c:5569
 allocate_slab mm/slub.c:1930 [inline]
 new_slab+0x92/0x490 mm/slub.c:1993
 ___slab_alloc+0x39e/0x830 mm/slub.c:3026
 __slab_alloc+0x4a/0x90 mm/slub.c:3113
 slab_alloc_node mm/slub.c:3204 [inline]
 slab_alloc mm/slub.c:3246 [inline]
 kmem_cache_alloc+0x134/0x200 mm/slub.c:3251
 kmem_cache_zalloc include/linux/slab.h:728 [inline]
 __kernfs_new_node+0xdb/0x6f0 fs/kernfs/dir.c:593
 kernfs_new_node+0x97/0x170 fs/kernfs/dir.c:655
 __kernfs_create_file+0x4a/0x270 fs/kernfs/file.c:985
 sysfs_add_file_mode_ns+0x273/0x320 fs/sysfs/file.c:317
 create_files fs/sysfs/group.c:64 [inline]
 internal_create_group+0x573/0xf00 fs/sysfs/group.c:149
 internal_create_groups fs/sysfs/group.c:189 [inline]
 sysfs_create_groups+0x5b/0x130 fs/sysfs/group.c:215
 create_dir lib/kobject.c:100 [inline]
 kobject_add_internal+0x8ce/0xd90 lib/kobject.c:255
 kobject_add_varg lib/kobject.c:390 [inline]
 kobject_init_and_add+0x120/0x190 lib/kobject.c:473
 netdev_queue_add_kobject net/core/net-sysfs.c:1666 [inline]
 netdev_queue_update_kobjects+0x185/0x400 net/core/net-sysfs.c:1711
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:26 [inline]
 free_pages_prepare mm/page_alloc.c:1370 [inline]
 free_pcp_prepare mm/page_alloc.c:1442 [inline]
 free_unref_page_prepare+0x7c8/0x7d0 mm/page_alloc.c:3441
 free_unref_page_list+0x15d/0x980 mm/page_alloc.c:3562
 release_pages+0x1310/0x1370 mm/swap.c:1009
 free_pages_and_swap_cache+0x8a/0xa0 mm/swap_state.c:320
 tlb_batch_pages_flush mm/mmu_gather.c:49 [inline]
 tlb_flush_mmu_free mm/mmu_gather.c:240 [inline]
 tlb_flush_mmu mm/mmu_gather.c:247 [inline]
 tlb_finish_mmu+0x177/0x320 mm/mmu_gather.c:338
 exit_mmap+0x3ef/0x6f0 mm/mmap.c:3211
 __mmput+0x95/0x310 kernel/fork.c:1171
 mmput+0x5b/0x170 kernel/fork.c:1194
 exit_mm kernel/exit.c:551 [inline]
 do_exit+0xbb4/0x2b60 kernel/exit.c:862
 do_group_exit+0x141/0x310 kernel/exit.c:997
 get_signal+0x7a3/0x1630 kernel/signal.c:2891
 arch_do_signal_or_restart+0xbd/0x1680 arch/x86/kernel/signal.c:865
 handle_signal_work kernel/entry/common.c:148 [inline]
 exit_to_user_mode_loop+0xa0/0xe0 kernel/entry/common.c:172
 exit_to_user_mode_prepare+0x5a/0xa0 kernel/entry/common.c:207
 __syscall_exit_to_user_mode_work kernel/entry/common.c:289 [inline]
 syscall_exit_to_user_mode+0x26/0x160 kernel/entry/common.c:300
 do_syscall_64+0x49/0xb0 arch/x86/entry/common.c:86

Memory state around the buggy address:
 ffff88810acf1100: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc
 ffff88810acf1180: fc fc fa fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88810acf1200: fb fb fb fc fc fc fc fc fc fc fc fa fb fb fb fb
                                                    ^
 ffff88810acf1280: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
 ffff88810acf1300: fc fc fc fc 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================

Crashes (3):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2023/02/19 22:42 android13-5.15-lts 5448b2fda85f bcdf85f8 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-15 KASAN: use-after-free Read in kernfs_get
2022/12/29 18:08 android13-5.15-lts c73b4619ad86 44712fbc .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-15 KASAN: use-after-free Read in kernfs_get
2022/10/18 19:43 android13-5.15-lts 44b8b2ac1d96 b31320fc .config console log report info [disk image] [vmlinux] ci2-android-5-15 KASAN: use-after-free Read in kernfs_get
* Struck through repros no longer work on HEAD.