syzbot |
sign-in | mailing list | source | docs |
| 🐞 Open [980] ≡ Subsystems 🐞 Fixed [5236] 🐞 Invalid [12500] ⬇ Missing Backports [83] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes | 💬 Send us feedback |
| Title | Replies (including bot) | Last reply |
|---|---|---|
| [syzbot] KASAN: use-after-free Read in check_all_holdout_tasks_trace | 15 (18) | 2021/06/28 08:43 |
| [PATCH v2] rcu-tasks: Fix an use-after-free when grace-period kthread touch the task_strcut | 1 (1) | 2021/05/26 03:20 |
| [PATCH] rcu-tasks: remove the task from holdout list a same place | 1 (1) | 2021/05/23 18:37 |
================================================================== BUG: KASAN: use-after-free in check_all_holdout_tasks_trace+0x302/0x420 kernel/rcu/tasks.h:1084 Read of size 1 at addr ffff8880294cbc9c by task rcu_tasks_trace/12 CPU: 0 PID: 12 Comm: rcu_tasks_trace Not tainted 5.13.0-rc3-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x141/0x1d7 lib/dump_stack.c:120 print_address_description.constprop.0.cold+0x5b/0x2f8 mm/kasan/report.c:233 __kasan_report mm/kasan/report.c:419 [inline] kasan_report.cold+0x7c/0xd8 mm/kasan/report.c:436 check_all_holdout_tasks_trace+0x302/0x420 kernel/rcu/tasks.h:1084 rcu_tasks_wait_gp+0x594/0xa60 kernel/rcu/tasks.h:358 rcu_tasks_kthread+0x31c/0x6a0 kernel/rcu/tasks.h:224 kthread+0x3b1/0x4a0 kernel/kthread.c:313 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294 Allocated by task 8499: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38 kasan_set_track mm/kasan/common.c:46 [inline] set_alloc_info mm/kasan/common.c:428 [inline] __kasan_slab_alloc+0x84/0xa0 mm/kasan/common.c:461 kasan_slab_alloc include/linux/kasan.h:236 [inline] slab_post_alloc_hook mm/slab.h:524 [inline] slab_alloc_node mm/slub.c:2913 [inline] kmem_cache_alloc_node+0x269/0x3e0 mm/slub.c:2949 alloc_task_struct_node kernel/fork.c:171 [inline] dup_task_struct kernel/fork.c:865 [inline] copy_process+0x5c8/0x7120 kernel/fork.c:1947 kernel_clone+0xe7/0xab0 kernel/fork.c:2503 __do_sys_clone+0xc8/0x110 kernel/fork.c:2620 do_syscall_64+0x3a/0xb0 arch/x86/entry/common.c:47 entry_SYSCALL_64_after_hwframe+0x44/0xae Freed by task 12: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38 kasan_set_track+0x1c/0x30 mm/kasan/common.c:46 kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:357 ____kasan_slab_free mm/kasan/common.c:360 [inline] ____kasan_slab_free mm/kasan/common.c:325 [inline] __kasan_slab_free+0xfb/0x130 mm/kasan/common.c:368 kasan_slab_free include/linux/kasan.h:212 [inline] slab_free_hook mm/slub.c:1582 [inline] slab_free_freelist_hook+0xdf/0x240 mm/slub.c:1607 slab_free mm/slub.c:3167 [inline] kmem_cache_free+0x8a/0x740 mm/slub.c:3183 __put_task_struct+0x26f/0x400 kernel/fork.c:747 trc_wait_for_one_reader kernel/rcu/tasks.h:935 [inline] check_all_holdout_tasks_trace+0x179/0x420 kernel/rcu/tasks.h:1081 rcu_tasks_wait_gp+0x594/0xa60 kernel/rcu/tasks.h:358 rcu_tasks_kthread+0x31c/0x6a0 kernel/rcu/tasks.h:224 kthread+0x3b1/0x4a0 kernel/kthread.c:313 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294 Last potentially related work creation: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38 kasan_record_aux_stack+0xe5/0x110 mm/kasan/generic.c:345 __call_rcu kernel/rcu/tree.c:3038 [inline] call_rcu+0xb1/0x750 kernel/rcu/tree.c:3113 put_task_struct_rcu_user+0x7f/0xb0 kernel/exit.c:180 release_task+0xca1/0x1690 kernel/exit.c:226 wait_task_zombie kernel/exit.c:1108 [inline] wait_consider_task+0x2fb5/0x3b40 kernel/exit.c:1335 do_wait_thread kernel/exit.c:1398 [inline] do_wait+0x724/0xd40 kernel/exit.c:1515 kernel_wait4+0x14c/0x260 kernel/exit.c:1678 __do_sys_wait4+0x13f/0x150 kernel/exit.c:1706 do_syscall_64+0x3a/0xb0 arch/x86/entry/common.c:47 entry_SYSCALL_64_after_hwframe+0x44/0xae Second to last potentially related work creation: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38 kasan_record_aux_stack+0xe5/0x110 mm/kasan/generic.c:345 __call_rcu kernel/rcu/tree.c:3038 [inline] call_rcu+0xb1/0x750 kernel/rcu/tree.c:3113 put_task_struct_rcu_user+0x7f/0xb0 kernel/exit.c:180 release_task+0xca1/0x1690 kernel/exit.c:226 wait_task_zombie kernel/exit.c:1108 [inline] wait_consider_task+0x2fb5/0x3b40 kernel/exit.c:1335 do_wait_thread kernel/exit.c:1398 [inline] do_wait+0x724/0xd40 kernel/exit.c:1515 kernel_wait4+0x14c/0x260 kernel/exit.c:1678 __do_sys_wait4+0x13f/0x150 kernel/exit.c:1706 do_syscall_64+0x3a/0xb0 arch/x86/entry/common.c:47 entry_SYSCALL_64_after_hwframe+0x44/0xae The buggy address belongs to the object at ffff8880294cb880 which belongs to the cache task_struct of size 6976 The buggy address is located 1052 bytes inside of 6976-byte region [ffff8880294cb880, ffff8880294cd3c0) The buggy address belongs to the page: page:ffffea0000a53200 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x294c8 head:ffffea0000a53200 order:3 compound_mapcount:0 compound_pincount:0 flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000010200 ffffea00008d6400 0000000200000002 ffff888140005140 raw: 0000000000000000 0000000000040004 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 2, ts 15187628853, free_ts 0 prep_new_page mm/page_alloc.c:2358 [inline] get_page_from_freelist+0x1034/0x2bf0 mm/page_alloc.c:3994 __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5200 alloc_pages+0x18c/0x2a0 mm/mempolicy.c:2272 alloc_slab_page mm/slub.c:1645 [inline] allocate_slab+0x32e/0x4c0 mm/slub.c:1785 new_slab mm/slub.c:1848 [inline] new_slab_objects mm/slub.c:2594 [inline] ___slab_alloc+0x4a1/0x810 mm/slub.c:2757 __slab_alloc.constprop.0+0xa7/0xf0 mm/slub.c:2797 slab_alloc_node mm/slub.c:2879 [inline] kmem_cache_alloc_node+0x12f/0x3e0 mm/slub.c:2949 alloc_task_struct_node kernel/fork.c:171 [inline] dup_task_struct kernel/fork.c:865 [inline] copy_process+0x5c8/0x7120 kernel/fork.c:1947 kernel_clone+0xe7/0xab0 kernel/fork.c:2503 kernel_thread+0xb5/0xf0 kernel/fork.c:2555 create_kthread kernel/kthread.c:336 [inline] kthreadd+0x52a/0x790 kernel/kthread.c:679 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294 page_owner free stack trace missing Memory state around the buggy address: ffff8880294cbb80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880294cbc00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8880294cbc80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8880294cbd00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880294cbd80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================
| Time | Kernel | Commit | Syzkaller | Config | Log | Report | Syz repro | C repro | VM info | Assets (help?) | Manager | Title |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2021/06/18 20:44 | bpf-next | 0c38740c0896 | aba2b2fb | .config | console log | report | syz | ci-upstream-bpf-next-kasan-gce | KASAN: use-after-free Read in check_all_holdout_tasks_trace | |||
| 2021/07/18 02:28 | bpf | a6c39de76d70 | f115ae98 | .config | console log | report | info | ci-upstream-bpf-kasan-gce | KASAN: use-after-free Read in check_all_holdout_tasks_trace | |||
| 2021/07/30 11:25 | bpf-next | 5aad03685185 | c585c7b0 | .config | console log | report | info | ci-upstream-bpf-next-kasan-gce | KASAN: use-after-free Read in check_all_holdout_tasks_trace | |||
| 2021/05/17 16:41 | bpf-next | f18ba26da88a | a2eb125d | .config | console log | report | info | ci-upstream-bpf-next-kasan-gce | KASAN: use-after-free Read in check_all_holdout_tasks_trace |