syzbot |
sign-in | mailing list | source | docs |
| 🐞 Open [997] ≡ Subsystems 🐞 Fixed [5242] 🐞 Invalid [12511] ⬇ Missing Backports [84] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes | 💬 Send us feedback |
================================================================== BUG: KASAN: use-after-free in instrument_atomic_read include/linux/instrumented.h:71 [inline] BUG: KASAN: use-after-free in atomic_long_read include/linux/atomic/atomic-instrumented.h:1183 [inline] BUG: KASAN: use-after-free in __mutex_unlock_slowpath+0xa6/0x5e0 kernel/locking/mutex.c:1230 Read of size 8 at addr ffff88806efc2858 by task syz-executor.0/12440 CPU: 1 PID: 12440 Comm: syz-executor.0 Not tainted 5.14.0-rc3-next-20210730-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:105 print_address_description.constprop.0.cold+0x6c/0x309 mm/kasan/report.c:256 __kasan_report mm/kasan/report.c:442 [inline] kasan_report.cold+0x83/0xdf mm/kasan/report.c:459 check_region_inline mm/kasan/generic.c:183 [inline] kasan_check_range+0x13d/0x180 mm/kasan/generic.c:189 instrument_atomic_read include/linux/instrumented.h:71 [inline] atomic_long_read include/linux/atomic/atomic-instrumented.h:1183 [inline] __mutex_unlock_slowpath+0xa6/0x5e0 kernel/locking/mutex.c:1230 sg_release+0x204/0x350 drivers/scsi/sg.c:405 __fput+0x288/0x920 fs/file_table.c:280 task_work_run+0xdd/0x1a0 kernel/task_work.c:164 tracehook_notify_resume include/linux/tracehook.h:189 [inline] exit_to_user_mode_loop kernel/entry/common.c:175 [inline] exit_to_user_mode_prepare+0x27e/0x290 kernel/entry/common.c:209 __syscall_exit_to_user_mode_work kernel/entry/common.c:291 [inline] syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:302 do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x4193fb Code: 0f 05 48 3d 00 f0 ff ff 77 45 c3 0f 1f 40 00 48 83 ec 18 89 7c 24 0c e8 63 fc ff ff 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 44 89 c7 89 44 24 0c e8 a1 fc ff ff 8b 44 RSP: 002b:00007ffcea9bbe30 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 RAX: 0000000000000000 RBX: 0000000000000004 RCX: 00000000004193fb RDX: 0000000000000000 RSI: 00007fcacb587000 RDI: 0000000000000003 RBP: 0000000000000001 R08: 0000000000000000 R09: 0000001b31032294 R10: 0000000000000973 R11: 0000000000000293 R12: 000000000056cb00 R13: 000000000056cb00 R14: 000000000056bf80 R15: 000000000006d1e2 Allocated by task 8: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38 kasan_set_track mm/kasan/common.c:46 [inline] set_alloc_info mm/kasan/common.c:434 [inline] ____kasan_kmalloc mm/kasan/common.c:513 [inline] ____kasan_kmalloc mm/kasan/common.c:472 [inline] __kasan_kmalloc+0x9b/0xd0 mm/kasan/common.c:522 kmalloc include/linux/slab.h:591 [inline] kzalloc include/linux/slab.h:721 [inline] sg_alloc drivers/scsi/sg.c:1446 [inline] sg_add_device+0x17f/0xc60 drivers/scsi/sg.c:1525 device_add+0xece/0x21b0 drivers/base/core.c:3380 scsi_sysfs_add_sdev+0x22b/0x730 drivers/scsi/scsi_sysfs.c:1362 scsi_sysfs_add_devices drivers/scsi/scsi_scan.c:1725 [inline] scsi_finish_async_scan drivers/scsi/scsi_scan.c:1810 [inline] do_scan_async+0x210/0x500 drivers/scsi/scsi_scan.c:1853 async_run_entry_fn+0x9d/0x550 kernel/async.c:127 process_one_work+0x98d/0x1630 kernel/workqueue.c:2276 worker_thread+0x658/0x11f0 kernel/workqueue.c:2422 kthread+0x3e5/0x4d0 kernel/kthread.c:319 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 Freed by task 9713: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38 kasan_set_track+0x1c/0x30 mm/kasan/common.c:46 kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:360 ____kasan_slab_free mm/kasan/common.c:366 [inline] ____kasan_slab_free mm/kasan/common.c:328 [inline] __kasan_slab_free+0xfb/0x130 mm/kasan/common.c:374 kasan_slab_free include/linux/kasan.h:230 [inline] slab_free_hook mm/slub.c:1628 [inline] slab_free_freelist_hook+0xdf/0x240 mm/slub.c:1653 slab_free mm/slub.c:3213 [inline] kfree+0xe4/0x530 mm/slub.c:4267 kref_put include/linux/kref.h:65 [inline] sg_remove_sfp_usercontext+0x396/0x600 drivers/scsi/sg.c:2220 process_one_work+0x98d/0x1630 kernel/workqueue.c:2276 worker_thread+0x658/0x11f0 kernel/workqueue.c:2422 kthread+0x3e5/0x4d0 kernel/kthread.c:319 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 The buggy address belongs to the object at ffff88806efc2800 which belongs to the cache kmalloc-512 of size 512 The buggy address is located 88 bytes inside of 512-byte region [ffff88806efc2800, ffff88806efc2a00) The buggy address belongs to the page: page:ffffea0001bbf000 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88806efc2000 pfn:0x6efc0 head:ffffea0001bbf000 order:2 compound_mapcount:0 compound_pincount:0 flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000010200 ffffea0000557208 ffffea0001f6f808 ffff888010841c80 raw: ffff88806efc2000 000000000010000f 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd2a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 13, ts 124646309898, free_ts 80349819883 prep_new_page mm/page_alloc.c:2424 [inline] get_page_from_freelist+0xa72/0x2f80 mm/page_alloc.c:4152 __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5374 alloc_pages+0x1a3/0x2d0 mm/mempolicy.c:2174 alloc_slab_page mm/slub.c:1691 [inline] allocate_slab+0x32e/0x4b0 mm/slub.c:1831 new_slab mm/slub.c:1894 [inline] new_slab_objects mm/slub.c:2640 [inline] ___slab_alloc+0x4ba/0x820 mm/slub.c:2803 __slab_alloc.constprop.0+0xa7/0xf0 mm/slub.c:2843 slab_alloc_node mm/slub.c:2925 [inline] __kmalloc_node_track_caller+0x2e3/0x360 mm/slub.c:4653 kmalloc_reserve net/core/skbuff.c:355 [inline] __alloc_skb+0xde/0x340 net/core/skbuff.c:426 __napi_alloc_skb+0x70/0x310 net/core/skbuff.c:567 napi_alloc_skb include/linux/skbuff.h:2933 [inline] page_to_skb+0x1b3/0xc60 drivers/net/virtio_net.c:442 receive_mergeable drivers/net/virtio_net.c:1031 [inline] receive_buf+0x338e/0x6380 drivers/net/virtio_net.c:1141 virtnet_receive drivers/net/virtio_net.c:1433 [inline] virtnet_poll+0x5bf/0x11c0 drivers/net/virtio_net.c:1542 __napi_poll+0xaf/0x440 net/core/dev.c:7065 napi_poll net/core/dev.c:7132 [inline] net_rx_action+0x801/0xb40 net/core/dev.c:7219 __do_softirq+0x29b/0x9c2 kernel/softirq.c:558 run_ksoftirqd kernel/softirq.c:920 [inline] run_ksoftirqd+0x2d/0x60 kernel/softirq.c:912 page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1338 [inline] free_pcp_prepare+0x373/0x860 mm/page_alloc.c:1389 free_unref_page_prepare mm/page_alloc.c:3315 [inline] free_unref_page+0x19/0x690 mm/page_alloc.c:3394 unfreeze_partials+0x17c/0x1d0 mm/slub.c:2421 put_cpu_partial+0x13d/0x230 mm/slub.c:2457 qlink_free mm/kasan/quarantine.c:146 [inline] qlist_free_all+0x5a/0xc0 mm/kasan/quarantine.c:165 kasan_quarantine_reduce+0x180/0x200 mm/kasan/quarantine.c:272 __kasan_slab_alloc+0x8e/0xa0 mm/kasan/common.c:444 kasan_slab_alloc include/linux/kasan.h:254 [inline] slab_post_alloc_hook mm/slab.h:519 [inline] slab_alloc_node mm/slub.c:2959 [inline] kmem_cache_alloc_node+0x266/0x3e0 mm/slub.c:2995 __alloc_skb+0x20b/0x340 net/core/skbuff.c:414 alloc_skb_fclone include/linux/skbuff.h:1166 [inline] sk_stream_alloc_skb+0x109/0xc30 net/ipv4/tcp.c:887 tcp_sendmsg_locked+0xc78/0x2f10 net/ipv4/tcp.c:1309 tcp_sendmsg+0x2b/0x40 net/ipv4/tcp.c:1461 inet_sendmsg+0x99/0xe0 net/ipv4/af_inet.c:821 sock_sendmsg_nosec net/socket.c:704 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:724 sock_write_iter+0x289/0x3c0 net/socket.c:1057 call_write_iter include/linux/fs.h:2152 [inline] new_sync_write+0x426/0x650 fs/read_write.c:518 Memory state around the buggy address: ffff88806efc2700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88806efc2780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff88806efc2800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88806efc2880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88806efc2900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================
| Time | Kernel | Commit | Syzkaller | Config | Log | Report | Syz repro | C repro | VM info | Assets (help?) | Manager | Title |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2021/08/05 19:57 | linux-next | 8d4b477da1a8 | d2d6e680 | .config | console log | report | info | ci-upstream-linux-next-kasan-gce-root | KASAN: use-after-free Read in sg_release |