syzbot |
sign-in | mailing list | source | docs |
================================================================== BUG: KASAN: slab-use-after-free in entity_eligible kernel/sched/fair.c:744 [inline] BUG: KASAN: slab-use-after-free in pick_eevdf+0x3a2/0x940 kernel/sched/fair.c:932 Read of size 8 at addr ffff88807b8e1ef0 by task ksoftirqd/1/24 CPU: 1 UID: 0 PID: 24 Comm: ksoftirqd/1 Not tainted 6.11.0-rc4-next-20240822-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 entity_eligible kernel/sched/fair.c:744 [inline] pick_eevdf+0x3a2/0x940 kernel/sched/fair.c:932 pick_next_entity kernel/sched/fair.c:5612 [inline] pick_task_fair+0xb5/0x280 kernel/sched/fair.c:8742 pick_next_task_fair+0x23/0xb00 kernel/sched/fair.c:8767 __pick_next_task+0xa6/0x2f0 kernel/sched/core.c:5959 __schedule+0x77b/0x4b30 kernel/sched/core.c:6632 __schedule_loop kernel/sched/core.c:6754 [inline] schedule+0x14b/0x320 kernel/sched/core.c:6769 smpboot_thread_fn+0x61e/0xa30 kernel/smpboot.c:160 kthread+0x2f0/0x390 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK> Allocated by task 5225: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 unpoison_slab_object mm/kasan/common.c:319 [inline] __kasan_slab_alloc+0x66/0x80 mm/kasan/common.c:345 kasan_slab_alloc include/linux/kasan.h:250 [inline] slab_post_alloc_hook mm/slub.c:4036 [inline] slab_alloc_node mm/slub.c:4085 [inline] kmem_cache_alloc_node_noprof+0x16b/0x320 mm/slub.c:4128 alloc_task_struct_node kernel/fork.c:180 [inline] dup_task_struct+0x57/0x8c0 kernel/fork.c:1107 copy_process+0x5d1/0x3d50 kernel/fork.c:2203 kernel_clone+0x226/0x8f0 kernel/fork.c:2784 __do_sys_clone kernel/fork.c:2927 [inline] __se_sys_clone kernel/fork.c:2911 [inline] __x64_sys_clone+0x258/0x2a0 kernel/fork.c:2911 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 16: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579 poison_slab_object mm/kasan/common.c:247 [inline] __kasan_slab_free+0x59/0x70 mm/kasan/common.c:264 kasan_slab_free include/linux/kasan.h:233 [inline] slab_free_hook mm/slub.c:2299 [inline] slab_free mm/slub.c:4521 [inline] kmem_cache_free+0x195/0x3d0 mm/slub.c:4623 put_task_struct include/linux/sched/task.h:139 [inline] delayed_put_task_struct+0x125/0x300 kernel/exit.c:228 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0xaaa/0x17a0 kernel/rcu/tree.c:2823 handle_softirqs+0x2c5/0x980 kernel/softirq.c:554 run_ksoftirqd+0xca/0x130 kernel/softirq.c:927 smpboot_thread_fn+0x544/0xa30 kernel/smpboot.c:164 kthread+0x2f0/0x390 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Last potentially related work creation: kasan_save_stack+0x3f/0x60 mm/kasan/common.c:47 __kasan_record_aux_stack+0xac/0xc0 mm/kasan/generic.c:541 __call_rcu_common kernel/rcu/tree.c:3086 [inline] call_rcu+0x167/0xa70 kernel/rcu/tree.c:3190 context_switch kernel/sched/core.c:5314 [inline] __schedule+0x1852/0x4b30 kernel/sched/core.c:6677 __schedule_loop kernel/sched/core.c:6754 [inline] schedule+0x14b/0x320 kernel/sched/core.c:6769 schedule_hrtimeout_range_clock+0x2c4/0x4d0 kernel/time/hrtimer.c:2293 poll_schedule_timeout fs/select.c:244 [inline] do_select+0x1865/0x1b00 fs/select.c:607 core_sys_select+0x6f4/0x910 fs/select.c:681 do_pselect fs/select.c:763 [inline] __do_sys_pselect6 fs/select.c:804 [inline] __se_sys_pselect6+0x319/0x3f0 fs/select.c:795 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Second to last potentially related work creation: kasan_save_stack+0x3f/0x60 mm/kasan/common.c:47 __kasan_record_aux_stack+0xac/0xc0 mm/kasan/generic.c:541 task_work_add+0xb8/0x450 kernel/task_work.c:66 task_tick_mm_cid kernel/sched/core.c:10422 [inline] sched_tick+0x322/0x610 kernel/sched/core.c:5594 update_process_times+0x202/0x230 kernel/time/timer.c:2492 tick_sched_handle kernel/time/tick-sched.c:276 [inline] tick_nohz_handler+0x37c/0x500 kernel/time/tick-sched.c:297 __run_hrtimer kernel/time/hrtimer.c:1691 [inline] __hrtimer_run_queues+0x551/0xd50 kernel/time/hrtimer.c:1755 hrtimer_interrupt+0x396/0x990 kernel/time/hrtimer.c:1817 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1026 [inline] __sysvec_apic_timer_interrupt+0x110/0x3f0 arch/x86/kernel/apic/apic.c:1043 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1037 [inline] sysvec_apic_timer_interrupt+0x52/0xc0 arch/x86/kernel/apic/apic.c:1037 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702 The buggy address belongs to the object at ffff88807b8e1e00 which belongs to the cache task_struct of size 7424 The buggy address is located 240 bytes inside of freed 7424-byte region [ffff88807b8e1e00, ffff88807b8e3b00) The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7b8e0 head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 memcg:ffff88802c8e1701 anon flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff) page_type: 0xfdffffff(slab) raw: 00fff00000000040 ffff8880166fb500 0000000000000000 dead000000000001 raw: 0000000000000000 0000000000040004 00000001fdffffff ffff88802c8e1701 head: 00fff00000000040 ffff8880166fb500 0000000000000000 dead000000000001 head: 0000000000000000 0000000000040004 00000001fdffffff ffff88802c8e1701 head: 00fff00000000003 ffffea0001ee3801 ffffffffffffffff 0000000000000000 head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 4671, tgid 4671 (start-stop-daem), ts 15162009093, free_ts 13592746831 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1517 prep_new_page mm/page_alloc.c:1525 [inline] get_page_from_freelist+0x3131/0x3280 mm/page_alloc.c:3476 __alloc_pages_noprof+0x29e/0x780 mm/page_alloc.c:4743 __alloc_pages_node_noprof include/linux/gfp.h:269 [inline] alloc_pages_node_noprof include/linux/gfp.h:296 [inline] alloc_slab_page+0x5f/0x120 mm/slub.c:2368 allocate_slab+0x5a/0x2f0 mm/slub.c:2531 new_slab mm/slub.c:2584 [inline] ___slab_alloc+0xcd1/0x14b0 mm/slub.c:3771 __slab_alloc+0x58/0xa0 mm/slub.c:3861 __slab_alloc_node mm/slub.c:3914 [inline] slab_alloc_node mm/slub.c:4073 [inline] kmem_cache_alloc_node_noprof+0x1fe/0x320 mm/slub.c:4128 alloc_task_struct_node kernel/fork.c:180 [inline] dup_task_struct+0x57/0x8c0 kernel/fork.c:1107 copy_process+0x5d1/0x3d50 kernel/fork.c:2203 kernel_clone+0x226/0x8f0 kernel/fork.c:2784 __do_sys_vfork+0xc3/0x120 kernel/fork.c:2889 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 1 tgid 1 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1098 [inline] free_unref_page+0xc07/0xd90 mm/page_alloc.c:2651 free_contig_range+0x152/0x550 mm/page_alloc.c:6758 destroy_args+0x8a/0x890 mm/debug_vm_pgtable.c:1017 debug_vm_pgtable+0x4be/0x550 mm/debug_vm_pgtable.c:1397 do_one_initcall+0x248/0x880 init/main.c:1269 do_initcall_level+0x157/0x210 init/main.c:1331 do_initcalls+0x3f/0x80 init/main.c:1347 kernel_init_freeable+0x435/0x5d0 init/main.c:1580 kernel_init+0x1d/0x2b0 init/main.c:1469 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Memory state around the buggy address: ffff88807b8e1d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88807b8e1e00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff88807b8e1e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88807b8e1f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88807b8e1f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================
| Time | Kernel | Commit | Syzkaller | Config | Log | Report | Syz repro | C repro | VM info | Assets (help?) | Manager | Title |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2024/08/22 18:05 | linux-next | 6a7917c89f21 | 295a4b50 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-linux-next-kasan-gce-root | KASAN: slab-use-after-free Read in pick_eevdf |