syzbot

 sign-in | mailing list | source | docs
🐞 Open [779]
🐞 Fixed [131]
🐞 Invalid [869]
Missing Backports [73]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
💬 Send us feedback

KASAN: use-after-free Read in siw_query_port

Status: auto-obsoleted due to no activity on 2024/01/27 18:37
Reported-by: syzbot+f43f88de45aa8aa2d857@syzkaller.appspotmail.com
First crash: 771d, last: 694d
Similar bugs (5)
Kernel Title Rank 🛈 Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-5.15 KASAN: use-after-free Read in siw_query_port (2) 19 84 18d 639d 0/3 upstream: reported on 2023/12/13 22:42
upstream KASAN: slab-use-after-free Read in siw_query_port rdma 19 50 739d 854d 0/29 auto-obsoleted due to no activity on 2023/11/13 22:18
linux-5.15 KASAN: use-after-free Read in siw_query_port 19 3 784d 810d 0/3 auto-obsoleted due to no activity on 2023/10/29 16:51
linux-6.1 KASAN: use-after-free Read in siw_query_port (2) origin:lts-only 19 syz inconclusive 336 3d14h 581d 0/3 upstream: reported syz repro on 2024/02/09 22:01
upstream KASAN: slab-use-after-free Read in siw_query_port (2) rdma 19 syz error inconclusive 2 276d 289d 0/29 auto-obsoleted due to no activity on 2025/04/27 10:54

Sample crash report:
wlan1 speed is unknown, defaulting to 1000
==================================================================
BUG: KASAN: use-after-free in siw_query_port+0x342/0x430 drivers/infiniband/sw/siw/siw_verbs.c:177
Read of size 4 at addr ffff88804d16c0e0 by task kworker/1:4/15668

CPU: 1 PID: 15668 Comm: kworker/1:4 Not tainted 6.1.58-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/06/2023
Workqueue: infiniband ib_cache_event_task
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:284 [inline]
 print_report+0x15f/0x4f0 mm/kasan/report.c:395
 kasan_report+0x136/0x160 mm/kasan/report.c:495
 siw_query_port+0x342/0x430 drivers/infiniband/sw/siw/siw_verbs.c:177
 ib_cache_update+0x1a8/0xaf0 drivers/infiniband/core/cache.c:1487
 ib_cache_event_task+0xef/0x1e0 drivers/infiniband/core/cache.c:1561
 process_one_work+0x8a9/0x11d0 kernel/workqueue.c:2292
 worker_thread+0xa47/0x1200 kernel/workqueue.c:2439
 kthread+0x28d/0x320 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306
 </TASK>

The buggy address belongs to the physical page:
page:ffffea0001345b00 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4d16c
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 ffffea0001f5c808 ffff8880b9940630 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 2, migratetype Unmovable, gfp_mask 0x546dc0(GFP_USER|__GFP_NOWARN|__GFP_RETRY_MAYFAIL|__GFP_COMP|__GFP_ZERO|__GFP_ACCOUNT), pid 13166, tgid 13166 (syz-executor.3), ts 1100688240194, free_ts 2281104523472
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook+0x18d/0x1b0 mm/page_alloc.c:2513
 prep_new_page mm/page_alloc.c:2520 [inline]
 get_page_from_freelist+0x31a1/0x3320 mm/page_alloc.c:4279
 __alloc_pages+0x28d/0x770 mm/page_alloc.c:5545
 __alloc_pages_node include/linux/gfp.h:237 [inline]
 alloc_pages_node include/linux/gfp.h:260 [inline]
 __kmalloc_large_node+0x91/0x1d0 mm/slab_common.c:1096
 __do_kmalloc_node mm/slab_common.c:943 [inline]
 __kmalloc_node+0x111/0x230 mm/slab_common.c:962
 kmalloc_node include/linux/slab.h:579 [inline]
 kvmalloc_node+0x6e/0x180 mm/util.c:581
 kvmalloc include/linux/slab.h:706 [inline]
 kvzalloc include/linux/slab.h:714 [inline]
 alloc_netdev_mqs+0x85/0xeb0 net/core/dev.c:10587
 ieee80211_if_add+0xe67/0x1890 net/mac80211/iface.c:2139
 ieee80211_register_hw+0x32ff/0x3f10 net/mac80211/main.c:1396
 mac80211_hwsim_new_radio+0x22d9/0x4060 drivers/net/wireless/mac80211_hwsim.c:4582
 hwsim_new_radio_nl+0xc54/0x1190 drivers/net/wireless/mac80211_hwsim.c:5176
 genl_family_rcv_msg_doit net/netlink/genetlink.c:756 [inline]
 genl_family_rcv_msg net/netlink/genetlink.c:833 [inline]
 genl_rcv_msg+0xc1a/0xf70 net/netlink/genetlink.c:850
 netlink_rcv_skb+0x1cd/0x410 net/netlink/af_netlink.c:2508
 genl_rcv+0x24/0x40 net/netlink/genetlink.c:861
 netlink_unicast_kernel net/netlink/af_netlink.c:1326 [inline]
 netlink_unicast+0x7d8/0x970 net/netlink/af_netlink.c:1352
 netlink_sendmsg+0xa26/0xd60 net/netlink/af_netlink.c:1874
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1440 [inline]
 free_pcp_prepare mm/page_alloc.c:1490 [inline]
 free_unref_page_prepare+0xf63/0x1120 mm/page_alloc.c:3358
 free_unref_page+0x33/0x3e0 mm/page_alloc.c:3453
 free_large_kmalloc+0xfb/0x190 mm/slab_common.c:932
 device_release+0x91/0x1c0
 kobject_cleanup lib/kobject.c:681 [inline]
 kobject_release lib/kobject.c:712 [inline]
 kref_put include/linux/kref.h:65 [inline]
 kobject_put+0x224/0x460 lib/kobject.c:729
 netdev_run_todo+0xe56/0xf40 net/core/dev.c:10377
 ieee80211_unregister_hw+0x5a/0x220 net/mac80211/main.c:1474
 mac80211_hwsim_del_radio+0x2be/0x4a0 drivers/net/wireless/mac80211_hwsim.c:4683
 hwsim_exit_net+0x5b8/0x660 drivers/net/wireless/mac80211_hwsim.c:5470
 ops_exit_list net/core/net_namespace.c:169 [inline]
 cleanup_net+0x6ce/0xb60 net/core/net_namespace.c:601
 process_one_work+0x8a9/0x11d0 kernel/workqueue.c:2292
 worker_thread+0xa47/0x1200 kernel/workqueue.c:2439
 kthread+0x28d/0x320 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306

Memory state around the buggy address:
 ffff88804d16bf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88804d16c000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff88804d16c080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                                       ^
 ffff88804d16c100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff88804d16c180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================

Crashes (5):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2023/10/19 18:36 linux-6.1.y adc4d740ad9e 42e1d524 .config console log report info ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2023/10/16 01:41 linux-6.1.y adc4d740ad9e f757a323 .config console log report info ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2023/08/28 16:34 linux-6.1.y 024f76bca9d0 7ba13a15 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2023/08/07 22:49 linux-6.1.y 52a953d0934b b1b6ae3d .config console log report info ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
2023/08/03 23:19 linux-6.1.y 52a953d0934b 74621247 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in siw_query_port
* Struck through repros no longer work on HEAD.