syzbot


KASAN: use-after-free Write in dec_ucount

Status: auto-closed as invalid on 2022/01/23 06:53
Reported-by: syzbot+ed34370dbda6d44c06b2@syzkaller.appspotmail.com
First crash: 524d, last: 438d

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
BUG: KASAN: use-after-free in atomic_long_dec_if_positive include/linux/atomic/atomic-instrumented.h:1754 [inline]
BUG: KASAN: use-after-free in dec_ucount+0x54/0x130 kernel/ucount.c:252
Write of size 8 at addr ffff88801c827f40 by task kworker/u4:0/8

CPU: 0 PID: 8 Comm: kworker/u4:0 Not tainted 5.15.0-rc2-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: netns cleanup_net
Call Trace:
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
 print_address_description.constprop.0.cold+0x6c/0x309 mm/kasan/report.c:256
 __kasan_report mm/kasan/report.c:442 [inline]
 kasan_report.cold+0x83/0xdf mm/kasan/report.c:459
 check_region_inline mm/kasan/generic.c:183 [inline]
 kasan_check_range+0x13d/0x180 mm/kasan/generic.c:189
 instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
 atomic_long_dec_if_positive include/linux/atomic/atomic-instrumented.h:1754 [inline]
 dec_ucount+0x54/0x130 kernel/ucount.c:252
 dec_net_namespaces net/core/net_namespace.c:387 [inline]
 cleanup_net+0x6f3/0xb00 net/core/net_namespace.c:607
 process_one_work+0x9bf/0x16b0 kernel/workqueue.c:2297
 worker_thread+0x658/0x11f0 kernel/workqueue.c:2444
 kthread+0x3e5/0x4d0 kernel/kthread.c:319
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295

Allocated by task 6526:
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38
 kasan_set_track mm/kasan/common.c:46 [inline]
 set_alloc_info mm/kasan/common.c:434 [inline]
 ____kasan_kmalloc mm/kasan/common.c:513 [inline]
 ____kasan_kmalloc mm/kasan/common.c:472 [inline]
 __kasan_kmalloc+0xa4/0xd0 mm/kasan/common.c:522
 kmalloc include/linux/slab.h:591 [inline]
 kzalloc include/linux/slab.h:721 [inline]
 alloc_ucounts+0x23d/0x5b0 kernel/ucount.c:173
 set_cred_ucounts+0x171/0x3a0 kernel/cred.c:684
 copy_creds+0x70e/0xb60 kernel/cred.c:375
 copy_process+0x1443/0x7580 kernel/fork.c:2066
 kernel_clone+0xe7/0xac0 kernel/fork.c:2584
 __do_sys_clone+0xc8/0x110 kernel/fork.c:2701
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae

Last potentially related work creation:
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38
 kasan_record_aux_stack+0xe9/0x110 mm/kasan/generic.c:348
 insert_work+0x48/0x370 kernel/workqueue.c:1353
 __queue_work+0x5ca/0xee0 kernel/workqueue.c:1519
 queue_work_on+0xee/0x110 kernel/workqueue.c:1546
 queue_work include/linux/workqueue.h:502 [inline]
 call_usermodehelper_exec+0x1f0/0x4c0 kernel/umh.c:435
 kobject_uevent_env+0xf8f/0x1650 lib/kobject_uevent.c:618
 kobject_synth_uevent+0x701/0x850 lib/kobject_uevent.c:208
 uevent_store+0x20/0x50 drivers/base/core.c:2375
 dev_attr_store+0x50/0x80 drivers/base/core.c:2076
 sysfs_kf_write+0x110/0x160 fs/sysfs/file.c:139
 kernfs_fop_write_iter+0x342/0x500 fs/kernfs/file.c:296
 call_write_iter include/linux/fs.h:2163 [inline]
 new_sync_write+0x429/0x660 fs/read_write.c:507
 vfs_write+0x7cf/0xae0 fs/read_write.c:594
 ksys_write+0x12d/0x250 fs/read_write.c:647
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae

Second to last potentially related work creation:
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38
 kasan_record_aux_stack+0xe9/0x110 mm/kasan/generic.c:348
 insert_work+0x48/0x370 kernel/workqueue.c:1353
 __queue_work+0x5ca/0xee0 kernel/workqueue.c:1519
 queue_work_on+0xee/0x110 kernel/workqueue.c:1546
 queue_work include/linux/workqueue.h:502 [inline]
 call_usermodehelper_exec+0x1f0/0x4c0 kernel/umh.c:435
 kobject_uevent_env+0xf8f/0x1650 lib/kobject_uevent.c:618
 kobject_synth_uevent+0x701/0x850 lib/kobject_uevent.c:208
 uevent_store+0x20/0x50 drivers/base/core.c:2375
 dev_attr_store+0x50/0x80 drivers/base/core.c:2076
 sysfs_kf_write+0x110/0x160 fs/sysfs/file.c:139
 kernfs_fop_write_iter+0x342/0x500 fs/kernfs/file.c:296
 call_write_iter include/linux/fs.h:2163 [inline]
 new_sync_write+0x429/0x660 fs/read_write.c:507
 vfs_write+0x7cf/0xae0 fs/read_write.c:594
 ksys_write+0x12d/0x250 fs/read_write.c:647
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae

The buggy address belongs to the object at ffff88801c827f00
 which belongs to the cache kmalloc-192 of size 192
The buggy address is located 64 bytes inside of
 192-byte region [ffff88801c827f00, ffff88801c827fc0)
The buggy address belongs to the page:
page:ffffea00007209c0 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88801c827f00 pfn:0x1c827
flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000200 ffffea0000592608 ffffea0001eb3d88 ffff888010c41a00
raw: ffff88801c827f00 000000000010000f 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12c00(GFP_NOIO|__GFP_NOWARN|__GFP_NORETRY), pid 253, ts 8084778998, free_ts 8066282067
 prep_new_page mm/page_alloc.c:2424 [inline]
 get_page_from_freelist+0xa72/0x2f80 mm/page_alloc.c:4153
 __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5375
 alloc_pages+0x1a7/0x300 mm/mempolicy.c:2197
 alloc_slab_page mm/slub.c:1763 [inline]
 allocate_slab mm/slub.c:1900 [inline]
 new_slab+0x319/0x490 mm/slub.c:1963
 ___slab_alloc+0x921/0xfe0 mm/slub.c:2994
 __slab_alloc.constprop.0+0x4d/0xa0 mm/slub.c:3081
 slab_alloc_node mm/slub.c:3172 [inline]
 slab_alloc mm/slub.c:3214 [inline]
 __kmalloc+0x305/0x320 mm/slub.c:4387
 kmalloc include/linux/slab.h:596 [inline]
 bio_kmalloc+0x42/0x610 block/bio.c:520
 bio_map_kern block/blk-map.c:351 [inline]
 blk_rq_map_kern+0x1e0/0x750 block/blk-map.c:642
 __scsi_execute+0x4bb/0x600 drivers/scsi/scsi_lib.c:228
 scsi_execute_req include/scsi/scsi_device.h:470 [inline]
 scsi_probe_lun drivers/scsi/scsi_scan.c:617 [inline]
 scsi_probe_and_add_lun+0x521/0x3590 drivers/scsi/scsi_scan.c:1114
 __scsi_scan_target+0x21f/0xdb0 drivers/scsi/scsi_scan.c:1588
 scsi_scan_channel drivers/scsi/scsi_scan.c:1676 [inline]
 scsi_scan_channel+0x148/0x1e0 drivers/scsi/scsi_scan.c:1652
 scsi_scan_host_selected+0x2df/0x3b0 drivers/scsi/scsi_scan.c:1705
 do_scsi_scan_host+0x1e8/0x260 drivers/scsi/scsi_scan.c:1844
 do_scan_async+0x3e/0x500 drivers/scsi/scsi_scan.c:1854
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1338 [inline]
 free_pcp_prepare+0x2c5/0x780 mm/page_alloc.c:1389
 free_unref_page_prepare mm/page_alloc.c:3315 [inline]
 free_unref_page+0x19/0x690 mm/page_alloc.c:3394
 __vunmap+0x783/0xb70 mm/vmalloc.c:2621
 free_work+0x58/0x70 mm/vmalloc.c:95
 process_one_work+0x9bf/0x16b0 kernel/workqueue.c:2297
 worker_thread+0x658/0x11f0 kernel/workqueue.c:2444
 kthread+0x3e5/0x4d0 kernel/kthread.c:319
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295

Memory state around the buggy address:
 ffff88801c827e00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88801c827e80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
>ffff88801c827f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                           ^
 ffff88801c827f80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff88801c828000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================

Crashes (45):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-upstream-kasan-gce 2021/09/25 06:52 upstream 4c4f0c2bf341 8cac236e .config log report info KASAN: use-after-free Write in dec_ucount
ci-upstream-kasan-gce 2021/08/25 13:03 upstream 6e764bcd1cf7 b599f2fc .config log report info KASAN: use-after-free Write in dec_ucount
ci-upstream-kasan-gce 2021/08/23 00:46 upstream e22ce8eb631b b599f2fc .config log report info KASAN: use-after-free Write in dec_ucount
ci-upstream-kasan-gce 2021/08/16 08:27 upstream 7c60610d4767 2489ab88 .config log report info KASAN: use-after-free Write in dec_ucount
ci-upstream-kasan-gce 2021/08/14 20:00 upstream dfa377c35d70 2489ab88 .config log report info KASAN: use-after-free Write in dec_ucount
ci-upstream-kasan-gce 2021/08/12 17:26 upstream 1746f4db5135 6972b106 .config log report info KASAN: use-after-free Write in dec_ucount
ci-upstream-kasan-gce 2021/08/11 10:05 upstream 9e723c5380c6 6972b106 .config log report info KASAN: use-after-free Write in dec_ucount
ci-upstream-kasan-gce 2021/08/11 09:08 upstream 9e723c5380c6 6972b106 .config log report info KASAN: use-after-free Write in dec_ucount
ci-upstream-kasan-gce 2021/08/10 17:20 upstream 9a73fa375d58 6972b106 .config log report info KASAN: use-after-free Write in dec_ucount
ci-upstream-kasan-gce 2021/08/08 00:41 upstream c9194f32bfd9 6972b106 .config log report info KASAN: use-after-free Write in dec_ucount
ci-upstream-kasan-gce 2021/08/06 06:25 upstream 902e7f373fff d2d6e680 .config log report info KASAN: use-after-free Write in dec_ucount
ci-upstream-kasan-gce 2021/08/05 17:26 upstream 251a1524293d 7f7bb950 .config log report info KASAN: use-after-free Write in dec_ucount
ci-upstream-kasan-gce 2021/08/02 15:44 upstream c500bee1c5b2 6c236867 .config log report info KASAN: use-after-free Write in dec_ucount
ci-upstream-kasan-gce 2021/07/28 17:44 upstream 7d549995d4e0 17d6ab15 .config log report info KASAN: use-after-free Write in dec_ucount
ci-upstream-kasan-gce 2021/07/26 16:22 upstream ff1176468d36 fd511809 .config log report info KASAN: use-after-free Write in dec_ucount
ci-upstream-kasan-gce 2021/07/21 04:11 upstream 8cae8cd89f05 1b201b48 .config log report info KASAN: use-after-free Write in dec_ucount
ci-upstream-kasan-gce 2021/07/20 21:23 upstream 8cae8cd89f05 1b201b48 .config log report info KASAN: use-after-free Write in dec_ucount
ci-upstream-kasan-gce 2021/07/19 22:54 upstream 2734d6c1b1a0 bc48c9ab .config log report info KASAN: use-after-free Write in dec_ucount
ci-upstream-kasan-gce 2021/07/19 09:33 upstream 2734d6c1b1a0 f115ae98 .config log report info KASAN: use-after-free Write in dec_ucount
ci-upstream-kasan-gce 2021/07/18 18:12 upstream 1d67c8d993ba f115ae98 .config log report info KASAN: use-after-free Write in dec_ucount
ci-upstream-kasan-gce 2021/07/18 11:56 upstream ccbb22b9ab86 f115ae98 .config log report info KASAN: use-after-free Write in dec_ucount
ci-upstream-kasan-gce 2021/07/16 07:06 upstream dd9c7df94c1b f115ae98 .config log report info KASAN: use-after-free Write in dec_ucount
ci-upstream-kasan-gce 2021/07/15 07:37 upstream 8096acd7442e b9a2f64e .config log report info KASAN: use-after-free Write in dec_ucount
ci-upstream-kasan-gce 2021/07/15 01:12 upstream 8096acd7442e 94e0b707 .config log report info KASAN: use-after-free Write in dec_ucount
ci-upstream-kasan-gce 2021/07/11 09:41 upstream 3dbdb38e2869 8f5a7b8c .config log report info KASAN: use-after-free Write in dec_ucount
ci-upstream-kasan-gce 2021/07/10 07:15 upstream 3dbdb38e2869 8f5a7b8c .config log report info KASAN: use-after-free Write in dec_ucount
ci-upstream-kasan-gce 2021/07/09 21:14 upstream 3dbdb38e2869 281e815f .config log report info KASAN: use-after-free Write in dec_ucount
ci-upstream-kasan-gce 2021/07/09 04:19 upstream 3dbdb38e2869 1b20171a .config log report info KASAN: use-after-free Write in dec_ucount
ci-upstream-kasan-gce 2021/07/07 17:12 upstream 3dbdb38e2869 4846d5c1 .config log report info KASAN: use-after-free Write in dec_ucount
ci-upstream-kasan-gce 2021/07/07 02:16 upstream 3dbdb38e2869 cca78469 .config log report info KASAN: use-after-free Write in dec_ucount
ci-upstream-kasan-gce-selinux-root 2021/07/06 23:41 upstream 3dbdb38e2869 cca78469 .config log report info KASAN: use-after-free Write in dec_ucount
ci-upstream-kasan-gce 2021/07/05 19:06 upstream 3dbdb38e2869 55aa55c2 .config log report info KASAN: use-after-free Write in dec_ucount
ci-upstream-kasan-gce 2021/07/05 14:17 upstream 3dbdb38e2869 55aa55c2 .config log report info KASAN: use-after-free Write in dec_ucount
ci-upstream-kasan-gce 2021/07/05 02:51 upstream 3dbdb38e2869 55aa55c2 .config log report info KASAN: use-after-free Write in dec_ucount
ci-upstream-kasan-gce 2021/07/04 21:09 upstream 3dbdb38e2869 55aa55c2 .config log report info KASAN: use-after-free Write in dec_ucount
ci-upstream-kasan-gce 2021/07/04 04:58 upstream 3dbdb38e2869 55aa55c2 .config log report info KASAN: use-after-free Write in dec_ucount
ci-upstream-kasan-gce 2021/07/04 00:50 upstream 3dbdb38e2869 55aa55c2 .config log report info KASAN: use-after-free Write in dec_ucount
ci-upstream-kasan-gce 2021/07/03 17:26 upstream 3dbdb38e2869 55aa55c2 .config log report info KASAN: use-after-free Write in dec_ucount
ci-upstream-kasan-gce 2021/07/03 05:37 upstream 3dbdb38e2869 55aa55c2 .config log report info KASAN: use-after-free Write in dec_ucount
ci-upstream-kasan-gce 2021/07/01 09:16 upstream dbe69e433722 658ebc66 .config log report info KASAN: use-after-free Write in dec_ucount
ci-upstream-kasan-gce-386 2021/08/11 19:50 upstream 761c6d7ec820 6972b106 .config log report info KASAN: use-after-free Write in dec_ucount
ci-upstream-kasan-gce-386 2021/07/06 23:47 upstream 3dbdb38e2869 cca78469 .config log report info KASAN: use-after-free Write in dec_ucount
ci-upstream-kasan-gce-386 2021/07/06 22:59 upstream 3dbdb38e2869 cca78469 .config log report info KASAN: use-after-free Write in dec_ucount
ci-upstream-kasan-gce-386 2021/07/05 22:31 upstream 3dbdb38e2869 55aa55c2 .config log report info KASAN: use-after-free Write in dec_ucount
ci-upstream-kasan-gce-386 2021/07/03 20:23 upstream 3dbdb38e2869 55aa55c2 .config log report info KASAN: use-after-free Write in dec_ucount
* Struck through repros no longer work on HEAD.