| Title | Replies (including bot) | Last reply |
|---|---|---|
| [syzbot] KASAN: use-after-free Write in dec_ucount | 0 (1) | 2021/07/05 09:20 |
syzbot |
sign-in | mailing list | source | docs |
| Title | Replies (including bot) | Last reply |
|---|---|---|
| [syzbot] KASAN: use-after-free Write in dec_ucount | 0 (1) | 2021/07/05 09:20 |
================================================================== BUG: KASAN: use-after-free in instrument_atomic_read_write include/linux/instrumented.h:101 [inline] BUG: KASAN: use-after-free in atomic_long_dec_if_positive include/linux/atomic/atomic-instrumented.h:1754 [inline] BUG: KASAN: use-after-free in dec_ucount+0x54/0x130 kernel/ucount.c:252 Write of size 8 at addr ffff88801c827f40 by task kworker/u4:0/8 CPU: 0 PID: 8 Comm: kworker/u4:0 Not tainted 5.15.0-rc2-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: netns cleanup_net Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_address_description.constprop.0.cold+0x6c/0x309 mm/kasan/report.c:256 __kasan_report mm/kasan/report.c:442 [inline] kasan_report.cold+0x83/0xdf mm/kasan/report.c:459 check_region_inline mm/kasan/generic.c:183 [inline] kasan_check_range+0x13d/0x180 mm/kasan/generic.c:189 instrument_atomic_read_write include/linux/instrumented.h:101 [inline] atomic_long_dec_if_positive include/linux/atomic/atomic-instrumented.h:1754 [inline] dec_ucount+0x54/0x130 kernel/ucount.c:252 dec_net_namespaces net/core/net_namespace.c:387 [inline] cleanup_net+0x6f3/0xb00 net/core/net_namespace.c:607 process_one_work+0x9bf/0x16b0 kernel/workqueue.c:2297 worker_thread+0x658/0x11f0 kernel/workqueue.c:2444 kthread+0x3e5/0x4d0 kernel/kthread.c:319 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 Allocated by task 6526: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38 kasan_set_track mm/kasan/common.c:46 [inline] set_alloc_info mm/kasan/common.c:434 [inline] ____kasan_kmalloc mm/kasan/common.c:513 [inline] ____kasan_kmalloc mm/kasan/common.c:472 [inline] __kasan_kmalloc+0xa4/0xd0 mm/kasan/common.c:522 kmalloc include/linux/slab.h:591 [inline] kzalloc include/linux/slab.h:721 [inline] alloc_ucounts+0x23d/0x5b0 kernel/ucount.c:173 set_cred_ucounts+0x171/0x3a0 kernel/cred.c:684 copy_creds+0x70e/0xb60 kernel/cred.c:375 copy_process+0x1443/0x7580 kernel/fork.c:2066 kernel_clone+0xe7/0xac0 kernel/fork.c:2584 __do_sys_clone+0xc8/0x110 kernel/fork.c:2701 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae Last potentially related work creation: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38 kasan_record_aux_stack+0xe9/0x110 mm/kasan/generic.c:348 insert_work+0x48/0x370 kernel/workqueue.c:1353 __queue_work+0x5ca/0xee0 kernel/workqueue.c:1519 queue_work_on+0xee/0x110 kernel/workqueue.c:1546 queue_work include/linux/workqueue.h:502 [inline] call_usermodehelper_exec+0x1f0/0x4c0 kernel/umh.c:435 kobject_uevent_env+0xf8f/0x1650 lib/kobject_uevent.c:618 kobject_synth_uevent+0x701/0x850 lib/kobject_uevent.c:208 uevent_store+0x20/0x50 drivers/base/core.c:2375 dev_attr_store+0x50/0x80 drivers/base/core.c:2076 sysfs_kf_write+0x110/0x160 fs/sysfs/file.c:139 kernfs_fop_write_iter+0x342/0x500 fs/kernfs/file.c:296 call_write_iter include/linux/fs.h:2163 [inline] new_sync_write+0x429/0x660 fs/read_write.c:507 vfs_write+0x7cf/0xae0 fs/read_write.c:594 ksys_write+0x12d/0x250 fs/read_write.c:647 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae Second to last potentially related work creation: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38 kasan_record_aux_stack+0xe9/0x110 mm/kasan/generic.c:348 insert_work+0x48/0x370 kernel/workqueue.c:1353 __queue_work+0x5ca/0xee0 kernel/workqueue.c:1519 queue_work_on+0xee/0x110 kernel/workqueue.c:1546 queue_work include/linux/workqueue.h:502 [inline] call_usermodehelper_exec+0x1f0/0x4c0 kernel/umh.c:435 kobject_uevent_env+0xf8f/0x1650 lib/kobject_uevent.c:618 kobject_synth_uevent+0x701/0x850 lib/kobject_uevent.c:208 uevent_store+0x20/0x50 drivers/base/core.c:2375 dev_attr_store+0x50/0x80 drivers/base/core.c:2076 sysfs_kf_write+0x110/0x160 fs/sysfs/file.c:139 kernfs_fop_write_iter+0x342/0x500 fs/kernfs/file.c:296 call_write_iter include/linux/fs.h:2163 [inline] new_sync_write+0x429/0x660 fs/read_write.c:507 vfs_write+0x7cf/0xae0 fs/read_write.c:594 ksys_write+0x12d/0x250 fs/read_write.c:647 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae The buggy address belongs to the object at ffff88801c827f00 which belongs to the cache kmalloc-192 of size 192 The buggy address is located 64 bytes inside of 192-byte region [ffff88801c827f00, ffff88801c827fc0) The buggy address belongs to the page: page:ffffea00007209c0 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88801c827f00 pfn:0x1c827 flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000200 ffffea0000592608 ffffea0001eb3d88 ffff888010c41a00 raw: ffff88801c827f00 000000000010000f 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12c00(GFP_NOIO|__GFP_NOWARN|__GFP_NORETRY), pid 253, ts 8084778998, free_ts 8066282067 prep_new_page mm/page_alloc.c:2424 [inline] get_page_from_freelist+0xa72/0x2f80 mm/page_alloc.c:4153 __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5375 alloc_pages+0x1a7/0x300 mm/mempolicy.c:2197 alloc_slab_page mm/slub.c:1763 [inline] allocate_slab mm/slub.c:1900 [inline] new_slab+0x319/0x490 mm/slub.c:1963 ___slab_alloc+0x921/0xfe0 mm/slub.c:2994 __slab_alloc.constprop.0+0x4d/0xa0 mm/slub.c:3081 slab_alloc_node mm/slub.c:3172 [inline] slab_alloc mm/slub.c:3214 [inline] __kmalloc+0x305/0x320 mm/slub.c:4387 kmalloc include/linux/slab.h:596 [inline] bio_kmalloc+0x42/0x610 block/bio.c:520 bio_map_kern block/blk-map.c:351 [inline] blk_rq_map_kern+0x1e0/0x750 block/blk-map.c:642 __scsi_execute+0x4bb/0x600 drivers/scsi/scsi_lib.c:228 scsi_execute_req include/scsi/scsi_device.h:470 [inline] scsi_probe_lun drivers/scsi/scsi_scan.c:617 [inline] scsi_probe_and_add_lun+0x521/0x3590 drivers/scsi/scsi_scan.c:1114 __scsi_scan_target+0x21f/0xdb0 drivers/scsi/scsi_scan.c:1588 scsi_scan_channel drivers/scsi/scsi_scan.c:1676 [inline] scsi_scan_channel+0x148/0x1e0 drivers/scsi/scsi_scan.c:1652 scsi_scan_host_selected+0x2df/0x3b0 drivers/scsi/scsi_scan.c:1705 do_scsi_scan_host+0x1e8/0x260 drivers/scsi/scsi_scan.c:1844 do_scan_async+0x3e/0x500 drivers/scsi/scsi_scan.c:1854 page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1338 [inline] free_pcp_prepare+0x2c5/0x780 mm/page_alloc.c:1389 free_unref_page_prepare mm/page_alloc.c:3315 [inline] free_unref_page+0x19/0x690 mm/page_alloc.c:3394 __vunmap+0x783/0xb70 mm/vmalloc.c:2621 free_work+0x58/0x70 mm/vmalloc.c:95 process_one_work+0x9bf/0x16b0 kernel/workqueue.c:2297 worker_thread+0x658/0x11f0 kernel/workqueue.c:2444 kthread+0x3e5/0x4d0 kernel/kthread.c:319 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 Memory state around the buggy address: ffff88801c827e00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88801c827e80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc >ffff88801c827f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88801c827f80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff88801c828000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ==================================================================
| Time | Kernel | Commit | Syzkaller | Config | Log | Report | Syz repro | C repro | VM info | Assets (help?) | Manager | Title |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2021/09/25 06:52 | upstream | 4c4f0c2bf341 | 8cac236e | .config | console log | report | info | ci-upstream-kasan-gce | KASAN: use-after-free Write in dec_ucount | |||
| 2021/08/25 13:03 | upstream | 6e764bcd1cf7 | b599f2fc | .config | console log | report | info | ci-upstream-kasan-gce | KASAN: use-after-free Write in dec_ucount | |||
| 2021/08/23 00:46 | upstream | e22ce8eb631b | b599f2fc | .config | console log | report | info | ci-upstream-kasan-gce | KASAN: use-after-free Write in dec_ucount | |||
| 2021/08/16 08:27 | upstream | 7c60610d4767 | 2489ab88 | .config | console log | report | info | ci-upstream-kasan-gce | KASAN: use-after-free Write in dec_ucount | |||
| 2021/08/14 20:00 | upstream | dfa377c35d70 | 2489ab88 | .config | console log | report | info | ci-upstream-kasan-gce | KASAN: use-after-free Write in dec_ucount | |||
| 2021/08/12 17:26 | upstream | 1746f4db5135 | 6972b106 | .config | console log | report | info | ci-upstream-kasan-gce | KASAN: use-after-free Write in dec_ucount | |||
| 2021/08/11 10:05 | upstream | 9e723c5380c6 | 6972b106 | .config | console log | report | info | ci-upstream-kasan-gce | KASAN: use-after-free Write in dec_ucount | |||
| 2021/08/11 09:08 | upstream | 9e723c5380c6 | 6972b106 | .config | console log | report | info | ci-upstream-kasan-gce | KASAN: use-after-free Write in dec_ucount | |||
| 2021/08/10 17:20 | upstream | 9a73fa375d58 | 6972b106 | .config | console log | report | info | ci-upstream-kasan-gce | KASAN: use-after-free Write in dec_ucount | |||
| 2021/08/08 00:41 | upstream | c9194f32bfd9 | 6972b106 | .config | console log | report | info | ci-upstream-kasan-gce | KASAN: use-after-free Write in dec_ucount | |||
| 2021/08/06 06:25 | upstream | 902e7f373fff | d2d6e680 | .config | console log | report | info | ci-upstream-kasan-gce | KASAN: use-after-free Write in dec_ucount | |||
| 2021/08/05 17:26 | upstream | 251a1524293d | 7f7bb950 | .config | console log | report | info | ci-upstream-kasan-gce | KASAN: use-after-free Write in dec_ucount | |||
| 2021/08/02 15:44 | upstream | c500bee1c5b2 | 6c236867 | .config | console log | report | info | ci-upstream-kasan-gce | KASAN: use-after-free Write in dec_ucount | |||
| 2021/07/28 17:44 | upstream | 7d549995d4e0 | 17d6ab15 | .config | console log | report | info | ci-upstream-kasan-gce | KASAN: use-after-free Write in dec_ucount | |||
| 2021/07/26 16:22 | upstream | ff1176468d36 | fd511809 | .config | console log | report | info | ci-upstream-kasan-gce | KASAN: use-after-free Write in dec_ucount | |||
| 2021/07/21 04:11 | upstream | 8cae8cd89f05 | 1b201b48 | .config | console log | report | info | ci-upstream-kasan-gce | KASAN: use-after-free Write in dec_ucount | |||
| 2021/07/20 21:23 | upstream | 8cae8cd89f05 | 1b201b48 | .config | console log | report | info | ci-upstream-kasan-gce | KASAN: use-after-free Write in dec_ucount | |||
| 2021/07/19 22:54 | upstream | 2734d6c1b1a0 | bc48c9ab | .config | console log | report | info | ci-upstream-kasan-gce | KASAN: use-after-free Write in dec_ucount | |||
| 2021/07/19 09:33 | upstream | 2734d6c1b1a0 | f115ae98 | .config | console log | report | info | ci-upstream-kasan-gce | KASAN: use-after-free Write in dec_ucount | |||
| 2021/07/18 18:12 | upstream | 1d67c8d993ba | f115ae98 | .config | console log | report | info | ci-upstream-kasan-gce | KASAN: use-after-free Write in dec_ucount | |||
| 2021/07/18 11:56 | upstream | ccbb22b9ab86 | f115ae98 | .config | console log | report | info | ci-upstream-kasan-gce | KASAN: use-after-free Write in dec_ucount | |||
| 2021/07/16 07:06 | upstream | dd9c7df94c1b | f115ae98 | .config | console log | report | info | ci-upstream-kasan-gce | KASAN: use-after-free Write in dec_ucount | |||
| 2021/07/15 07:37 | upstream | 8096acd7442e | b9a2f64e | .config | console log | report | info | ci-upstream-kasan-gce | KASAN: use-after-free Write in dec_ucount | |||
| 2021/07/15 01:12 | upstream | 8096acd7442e | 94e0b707 | .config | console log | report | info | ci-upstream-kasan-gce | KASAN: use-after-free Write in dec_ucount | |||
| 2021/07/11 09:41 | upstream | 3dbdb38e2869 | 8f5a7b8c | .config | console log | report | info | ci-upstream-kasan-gce | KASAN: use-after-free Write in dec_ucount | |||
| 2021/07/10 07:15 | upstream | 3dbdb38e2869 | 8f5a7b8c | .config | console log | report | info | ci-upstream-kasan-gce | KASAN: use-after-free Write in dec_ucount | |||
| 2021/07/09 21:14 | upstream | 3dbdb38e2869 | 281e815f | .config | console log | report | info | ci-upstream-kasan-gce | KASAN: use-after-free Write in dec_ucount | |||
| 2021/07/09 04:19 | upstream | 3dbdb38e2869 | 1b20171a | .config | console log | report | info | ci-upstream-kasan-gce | KASAN: use-after-free Write in dec_ucount | |||
| 2021/07/07 17:12 | upstream | 3dbdb38e2869 | 4846d5c1 | .config | console log | report | info | ci-upstream-kasan-gce | KASAN: use-after-free Write in dec_ucount | |||
| 2021/07/07 02:16 | upstream | 3dbdb38e2869 | cca78469 | .config | console log | report | info | ci-upstream-kasan-gce | KASAN: use-after-free Write in dec_ucount | |||
| 2021/07/06 23:41 | upstream | 3dbdb38e2869 | cca78469 | .config | console log | report | info | ci-upstream-kasan-gce-selinux-root | KASAN: use-after-free Write in dec_ucount | |||
| 2021/07/05 19:06 | upstream | 3dbdb38e2869 | 55aa55c2 | .config | console log | report | info | ci-upstream-kasan-gce | KASAN: use-after-free Write in dec_ucount | |||
| 2021/07/05 14:17 | upstream | 3dbdb38e2869 | 55aa55c2 | .config | console log | report | info | ci-upstream-kasan-gce | KASAN: use-after-free Write in dec_ucount | |||
| 2021/07/05 02:51 | upstream | 3dbdb38e2869 | 55aa55c2 | .config | console log | report | info | ci-upstream-kasan-gce | KASAN: use-after-free Write in dec_ucount | |||
| 2021/07/04 21:09 | upstream | 3dbdb38e2869 | 55aa55c2 | .config | console log | report | info | ci-upstream-kasan-gce | KASAN: use-after-free Write in dec_ucount | |||
| 2021/07/04 04:58 | upstream | 3dbdb38e2869 | 55aa55c2 | .config | console log | report | info | ci-upstream-kasan-gce | KASAN: use-after-free Write in dec_ucount | |||
| 2021/07/04 00:50 | upstream | 3dbdb38e2869 | 55aa55c2 | .config | console log | report | info | ci-upstream-kasan-gce | KASAN: use-after-free Write in dec_ucount | |||
| 2021/07/03 17:26 | upstream | 3dbdb38e2869 | 55aa55c2 | .config | console log | report | info | ci-upstream-kasan-gce | KASAN: use-after-free Write in dec_ucount | |||
| 2021/07/03 05:37 | upstream | 3dbdb38e2869 | 55aa55c2 | .config | console log | report | info | ci-upstream-kasan-gce | KASAN: use-after-free Write in dec_ucount | |||
| 2021/07/01 09:16 | upstream | dbe69e433722 | 658ebc66 | .config | console log | report | info | ci-upstream-kasan-gce | KASAN: use-after-free Write in dec_ucount | |||
| 2021/08/11 19:50 | upstream | 761c6d7ec820 | 6972b106 | .config | console log | report | info | ci-upstream-kasan-gce-386 | KASAN: use-after-free Write in dec_ucount | |||
| 2021/07/06 23:47 | upstream | 3dbdb38e2869 | cca78469 | .config | console log | report | info | ci-upstream-kasan-gce-386 | KASAN: use-after-free Write in dec_ucount | |||
| 2021/07/06 22:59 | upstream | 3dbdb38e2869 | cca78469 | .config | console log | report | info | ci-upstream-kasan-gce-386 | KASAN: use-after-free Write in dec_ucount | |||
| 2021/07/05 22:31 | upstream | 3dbdb38e2869 | 55aa55c2 | .config | console log | report | info | ci-upstream-kasan-gce-386 | KASAN: use-after-free Write in dec_ucount | |||
| 2021/07/03 20:23 | upstream | 3dbdb38e2869 | 55aa55c2 | .config | console log | report | info | ci-upstream-kasan-gce-386 | KASAN: use-after-free Write in dec_ucount |