syzbot |
sign-in | mailing list | source | docs |
wlan1 speed is unknown, defaulting to 1000 ================================================================== BUG: KASAN: use-after-free in siw_query_port+0x342/0x430 drivers/infiniband/sw/siw/siw_verbs.c:177 Read of size 4 at addr ffff88804d16c0e0 by task kworker/1:4/15668 CPU: 1 PID: 15668 Comm: kworker/1:4 Not tainted 6.1.58-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/06/2023 Workqueue: infiniband ib_cache_event_task Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106 print_address_description mm/kasan/report.c:284 [inline] print_report+0x15f/0x4f0 mm/kasan/report.c:395 kasan_report+0x136/0x160 mm/kasan/report.c:495 siw_query_port+0x342/0x430 drivers/infiniband/sw/siw/siw_verbs.c:177 ib_cache_update+0x1a8/0xaf0 drivers/infiniband/core/cache.c:1487 ib_cache_event_task+0xef/0x1e0 drivers/infiniband/core/cache.c:1561 process_one_work+0x8a9/0x11d0 kernel/workqueue.c:2292 worker_thread+0xa47/0x1200 kernel/workqueue.c:2439 kthread+0x28d/0x320 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306 </TASK> The buggy address belongs to the physical page: page:ffffea0001345b00 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4d16c flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 ffffea0001f5c808 ffff8880b9940630 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as freed page last allocated via order 2, migratetype Unmovable, gfp_mask 0x546dc0(GFP_USER|__GFP_NOWARN|__GFP_RETRY_MAYFAIL|__GFP_COMP|__GFP_ZERO|__GFP_ACCOUNT), pid 13166, tgid 13166 (syz-executor.3), ts 1100688240194, free_ts 2281104523472 set_page_owner include/linux/page_owner.h:31 [inline] post_alloc_hook+0x18d/0x1b0 mm/page_alloc.c:2513 prep_new_page mm/page_alloc.c:2520 [inline] get_page_from_freelist+0x31a1/0x3320 mm/page_alloc.c:4279 __alloc_pages+0x28d/0x770 mm/page_alloc.c:5545 __alloc_pages_node include/linux/gfp.h:237 [inline] alloc_pages_node include/linux/gfp.h:260 [inline] __kmalloc_large_node+0x91/0x1d0 mm/slab_common.c:1096 __do_kmalloc_node mm/slab_common.c:943 [inline] __kmalloc_node+0x111/0x230 mm/slab_common.c:962 kmalloc_node include/linux/slab.h:579 [inline] kvmalloc_node+0x6e/0x180 mm/util.c:581 kvmalloc include/linux/slab.h:706 [inline] kvzalloc include/linux/slab.h:714 [inline] alloc_netdev_mqs+0x85/0xeb0 net/core/dev.c:10587 ieee80211_if_add+0xe67/0x1890 net/mac80211/iface.c:2139 ieee80211_register_hw+0x32ff/0x3f10 net/mac80211/main.c:1396 mac80211_hwsim_new_radio+0x22d9/0x4060 drivers/net/wireless/mac80211_hwsim.c:4582 hwsim_new_radio_nl+0xc54/0x1190 drivers/net/wireless/mac80211_hwsim.c:5176 genl_family_rcv_msg_doit net/netlink/genetlink.c:756 [inline] genl_family_rcv_msg net/netlink/genetlink.c:833 [inline] genl_rcv_msg+0xc1a/0xf70 net/netlink/genetlink.c:850 netlink_rcv_skb+0x1cd/0x410 net/netlink/af_netlink.c:2508 genl_rcv+0x24/0x40 net/netlink/genetlink.c:861 netlink_unicast_kernel net/netlink/af_netlink.c:1326 [inline] netlink_unicast+0x7d8/0x970 net/netlink/af_netlink.c:1352 netlink_sendmsg+0xa26/0xd60 net/netlink/af_netlink.c:1874 page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1440 [inline] free_pcp_prepare mm/page_alloc.c:1490 [inline] free_unref_page_prepare+0xf63/0x1120 mm/page_alloc.c:3358 free_unref_page+0x33/0x3e0 mm/page_alloc.c:3453 free_large_kmalloc+0xfb/0x190 mm/slab_common.c:932 device_release+0x91/0x1c0 kobject_cleanup lib/kobject.c:681 [inline] kobject_release lib/kobject.c:712 [inline] kref_put include/linux/kref.h:65 [inline] kobject_put+0x224/0x460 lib/kobject.c:729 netdev_run_todo+0xe56/0xf40 net/core/dev.c:10377 ieee80211_unregister_hw+0x5a/0x220 net/mac80211/main.c:1474 mac80211_hwsim_del_radio+0x2be/0x4a0 drivers/net/wireless/mac80211_hwsim.c:4683 hwsim_exit_net+0x5b8/0x660 drivers/net/wireless/mac80211_hwsim.c:5470 ops_exit_list net/core/net_namespace.c:169 [inline] cleanup_net+0x6ce/0xb60 net/core/net_namespace.c:601 process_one_work+0x8a9/0x11d0 kernel/workqueue.c:2292 worker_thread+0xa47/0x1200 kernel/workqueue.c:2439 kthread+0x28d/0x320 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306 Memory state around the buggy address: ffff88804d16bf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88804d16c000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff88804d16c080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff88804d16c100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff88804d16c180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ==================================================================
| Time | Kernel | Commit | Syzkaller | Config | Log | Report | Syz repro | C repro | VM info | Assets (help?) | Manager | Title |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2023/10/19 18:36 | linux-6.1.y | adc4d740ad9e | 42e1d524 | .config | console log | report | info | ci2-linux-6-1-kasan | KASAN: use-after-free Read in siw_query_port | |||
| 2023/10/16 01:41 | linux-6.1.y | adc4d740ad9e | f757a323 | .config | console log | report | info | ci2-linux-6-1-kasan | KASAN: use-after-free Read in siw_query_port | |||
| 2023/08/28 16:34 | linux-6.1.y | 024f76bca9d0 | 7ba13a15 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-6-1-kasan | KASAN: use-after-free Read in siw_query_port | ||
| 2023/08/07 22:49 | linux-6.1.y | 52a953d0934b | b1b6ae3d | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-6-1-kasan | KASAN: use-after-free Read in siw_query_port | ||
| 2023/08/03 23:19 | linux-6.1.y | 52a953d0934b | 74621247 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-6-1-kasan | KASAN: use-after-free Read in siw_query_port |