syzbot |
sign-in | mailing list | source | docs |
infiniband syz2: RDMA CMA: cma_listen_on_dev, error -98 lo speed is unknown, defaulting to 1000 lo speed is unknown, defaulting to 1000 ================================================================== BUG: KASAN: slab-use-after-free in __nla_put lib/nlattr.c:1041 [inline] BUG: KASAN: slab-use-after-free in nla_put+0x158/0x1bc lib/nlattr.c:1099 Read of size 5 at addr ffff000011a80a00 by task syz.1.6937/17506 CPU: 1 UID: 0 PID: 17506 Comm: syz.1.6937 Not tainted 6.12.0-rc4-syzkaller-00085-g4e46774408d9 #0 Hardware name: linux,dummy-virt (DT) Call trace: dump_backtrace+0x9c/0x11c arch/arm64/kernel/stacktrace.c:319 show_stack+0x18/0x24 arch/arm64/kernel/stacktrace.c:326 __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0xa4/0xf4 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:377 [inline] print_report+0xf4/0x5a4 mm/kasan/report.c:488 kasan_report+0xc8/0x108 mm/kasan/report.c:601 check_region_inline mm/kasan/generic.c:175 [inline] kasan_check_range+0x100/0x1a8 mm/kasan/generic.c:189 memcpy+0x3c/0x9c mm/kasan/shadow.c:74 __nla_put lib/nlattr.c:1041 [inline] nla_put+0x158/0x1bc lib/nlattr.c:1099 nla_put_string include/net/netlink.h:1617 [inline] fill_nldev_handle+0xf0/0x174 drivers/infiniband/core/nldev.c:265 rdma_nl_notify_event+0x18c/0x784 drivers/infiniband/core/nldev.c:2825 ib_device_notify_register drivers/infiniband/core/device.c:1360 [inline] ib_register_device drivers/infiniband/core/device.c:1476 [inline] ib_register_device+0x5fc/0x9bc drivers/infiniband/core/device.c:1395 siw_device_register drivers/infiniband/sw/siw/siw_main.c:72 [inline] siw_newlink+0xa68/0xd74 drivers/infiniband/sw/siw/siw_main.c:452 nldev_newlink+0x258/0x444 drivers/infiniband/core/nldev.c:1795 rdma_nl_rcv_msg+0x274/0x56c drivers/infiniband/core/netlink.c:195 rdma_nl_rcv_skb.constprop.0.isra.0+0x204/0x340 drivers/infiniband/core/netlink.c:239 rdma_nl_rcv+0x10/0x1c drivers/infiniband/core/netlink.c:259 netlink_unicast_kernel net/netlink/af_netlink.c:1331 [inline] netlink_unicast+0x3c0/0x670 net/netlink/af_netlink.c:1357 netlink_sendmsg+0x654/0xa4c net/netlink/af_netlink.c:1901 sock_sendmsg_nosec net/socket.c:729 [inline] __sock_sendmsg+0xc8/0x168 net/socket.c:744 ____sys_sendmsg+0x54c/0x6dc net/socket.c:2607 ___sys_sendmsg+0x11c/0x19c net/socket.c:2661 __sys_sendmsg+0xe0/0x174 net/socket.c:2690 __do_sys_sendmsg net/socket.c:2699 [inline] __se_sys_sendmsg net/socket.c:2697 [inline] __arm64_sys_sendmsg+0x70/0xa0 net/socket.c:2697 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x6c/0x258 arch/arm64/kernel/syscall.c:49 el0_svc_common.constprop.0+0xac/0x230 arch/arm64/kernel/syscall.c:132 do_el0_svc+0x40/0x58 arch/arm64/kernel/syscall.c:151 el0_svc+0x50/0x180 arch/arm64/kernel/entry-common.c:712 el0t_64_sync_handler+0x100/0x12c arch/arm64/kernel/entry-common.c:730 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598 Allocated by task 17506: kasan_save_stack+0x3c/0x64 mm/kasan/common.c:47 kasan_save_track+0x20/0x3c mm/kasan/common.c:68 kasan_save_alloc_info+0x40/0x54 mm/kasan/generic.c:565 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0xb8/0xbc mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:257 [inline] __do_kmalloc_node mm/slub.c:4264 [inline] __kmalloc_node_track_caller_noprof+0x1e8/0x428 mm/slub.c:4283 kstrdup+0x48/0x90 mm/util.c:64 kstrdup_const+0x40/0x4c mm/util.c:87 kvasprintf_const+0x1b0/0x1e0 lib/kasprintf.c:46 kobject_set_name_vargs+0x5c/0x118 lib/kobject.c:274 dev_set_name+0xa4/0xdc drivers/base/core.c:3478 assign_name drivers/infiniband/core/device.c:1218 [inline] ib_register_device+0x534/0x9bc drivers/infiniband/core/device.c:1400 siw_device_register drivers/infiniband/sw/siw/siw_main.c:72 [inline] siw_newlink+0xa68/0xd74 drivers/infiniband/sw/siw/siw_main.c:452 nldev_newlink+0x258/0x444 drivers/infiniband/core/nldev.c:1795 rdma_nl_rcv_msg+0x274/0x56c drivers/infiniband/core/netlink.c:195 rdma_nl_rcv_skb.constprop.0.isra.0+0x204/0x340 drivers/infiniband/core/netlink.c:239 rdma_nl_rcv+0x10/0x1c drivers/infiniband/core/netlink.c:259 netlink_unicast_kernel net/netlink/af_netlink.c:1331 [inline] netlink_unicast+0x3c0/0x670 net/netlink/af_netlink.c:1357 netlink_sendmsg+0x654/0xa4c net/netlink/af_netlink.c:1901 sock_sendmsg_nosec net/socket.c:729 [inline] __sock_sendmsg+0xc8/0x168 net/socket.c:744 ____sys_sendmsg+0x54c/0x6dc net/socket.c:2607 ___sys_sendmsg+0x11c/0x19c net/socket.c:2661 __sys_sendmsg+0xe0/0x174 net/socket.c:2690 __do_sys_sendmsg net/socket.c:2699 [inline] __se_sys_sendmsg net/socket.c:2697 [inline] __arm64_sys_sendmsg+0x70/0xa0 net/socket.c:2697 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x6c/0x258 arch/arm64/kernel/syscall.c:49 el0_svc_common.constprop.0+0xac/0x230 arch/arm64/kernel/syscall.c:132 do_el0_svc+0x40/0x58 arch/arm64/kernel/syscall.c:151 el0_svc+0x50/0x180 arch/arm64/kernel/entry-common.c:712 el0t_64_sync_handler+0x100/0x12c arch/arm64/kernel/entry-common.c:730 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598 Freed by task 17509: kasan_save_stack+0x3c/0x64 mm/kasan/common.c:47 kasan_save_track+0x20/0x3c mm/kasan/common.c:68 kasan_save_free_info+0x4c/0x74 mm/kasan/generic.c:579 poison_slab_object mm/kasan/common.c:247 [inline] __kasan_slab_free+0x50/0x6c mm/kasan/common.c:264 kasan_slab_free include/linux/kasan.h:230 [inline] slab_free_hook mm/slub.c:2342 [inline] slab_free mm/slub.c:4579 [inline] kfree+0x130/0x460 mm/slub.c:4727 kfree_const+0x34/0x40 mm/util.c:43 kobject_rename+0x120/0x1ec lib/kobject.c:524 device_rename+0xc8/0x1c0 drivers/base/core.c:4545 ib_device_rename+0xdc/0x3cc drivers/infiniband/core/device.c:419 nldev_set_doit+0x264/0x328 drivers/infiniband/core/nldev.c:1146 rdma_nl_rcv_msg+0x274/0x56c drivers/infiniband/core/netlink.c:195 rdma_nl_rcv_skb.constprop.0.isra.0+0x204/0x340 drivers/infiniband/core/netlink.c:239 rdma_nl_rcv+0x10/0x1c drivers/infiniband/core/netlink.c:259 netlink_unicast_kernel net/netlink/af_netlink.c:1331 [inline] netlink_unicast+0x3c0/0x670 net/netlink/af_netlink.c:1357 netlink_sendmsg+0x654/0xa4c net/netlink/af_netlink.c:1901 sock_sendmsg_nosec net/socket.c:729 [inline] __sock_sendmsg+0xc8/0x168 net/socket.c:744 ____sys_sendmsg+0x54c/0x6dc net/socket.c:2607 ___sys_sendmsg+0x11c/0x19c net/socket.c:2661 __sys_sendmsg+0xe0/0x174 net/socket.c:2690 __do_sys_sendmsg net/socket.c:2699 [inline] __se_sys_sendmsg net/socket.c:2697 [inline] __arm64_sys_sendmsg+0x70/0xa0 net/socket.c:2697 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x6c/0x258 arch/arm64/kernel/syscall.c:49 el0_svc_common.constprop.0+0xac/0x230 arch/arm64/kernel/syscall.c:132 do_el0_svc+0x40/0x58 arch/arm64/kernel/syscall.c:151 el0_svc+0x50/0x180 arch/arm64/kernel/entry-common.c:712 el0t_64_sync_handler+0x100/0x12c arch/arm64/kernel/entry-common.c:730 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598 The buggy address belongs to the object at ffff000011a80a00 which belongs to the cache kmalloc-8 of size 8 The buggy address is located 0 bytes inside of freed 8-byte region [ffff000011a80a00, ffff000011a80a08) The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x51a80 anon flags: 0x1ffc00000000000(node=0|zone=0|lastcpupid=0x7ff) page_type: f5(slab) raw: 01ffc00000000000 ffff00000d401500 0000000000000000 dead000000000001 raw: 0000000000000000 0000000080800080 00000001f5000000 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff000011a80900: fa fc fc fc fa fc fc fc 00 fc fc fc fa fc fc fc ffff000011a80980: fa fc fc fc fa fc fc fc fa fc fc fc 04 fc fc fc >ffff000011a80a00: fa fc fc fc fa fc fc fc fa fc fc fc fa fc fc fc ^ ffff000011a80a80: fa fc fc fc fa fc fc fc fa fc fc fc fa fc fc fc ffff000011a80b00: fa fc fc fc fa fc fc fc fa fc fc fc fa fc fc fc ==================================================================
Time | Kernel | Commit | Syzkaller | Config | Log | Report | Syz repro | C repro | VM info | Assets (help?) | Manager | Title |
---|---|---|---|---|---|---|---|---|---|---|---|---|
2024/10/25 03:39 | upstream | 4e46774408d9 | c79b8ca5 | .config | console log | report | info | [disk image (non-bootable)] [vmlinux] [kernel image] | ci-qemu2-arm64 | KASAN: slab-use-after-free Read in nla_put |