syzbot

 sign-in | mailing list | source | docs
🐞 Open [80] 🐞 Fixed [21] 🐞 Invalid [282] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes 💬 Send us feedback

KASAN: use-after-free Write in __mod_timer

Status: auto-closed as invalid on 2021/06/27 19:40
Reported-by: syzbot+bebade1aa9eaad0b0160@syzkaller.appspotmail.com
First crash: 1154d, last: 1154d
Similar bugs (2)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
android-54 KASAN: use-after-free Write in __mod_timer (3) 2 614d 670d 0/2 auto-obsoleted due to no activity on 2022/12/19 20:01
android-54 KASAN: use-after-free Write in __mod_timer (2) 1 938d 938d 0/2 auto-closed as invalid on 2022/01/30 03:03

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in hlist_add_head include/linux/list.h:787 [inline]
BUG: KASAN: use-after-free in enqueue_timer kernel/time/timer.c:541 [inline]
BUG: KASAN: use-after-free in __mod_timer+0xa90/0x1c70 kernel/time/timer.c:1062
Write of size 8 at addr ffff8881e28b71c8 by task kworker/0:2/97

CPU: 0 PID: 97 Comm: kworker/0:2 Not tainted 5.4.101-syzkaller-00440-g55e9d3c6b5f7 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: wg-crypt-wg0 wg_packet_tx_worker
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1d8/0x24e lib/dump_stack.c:118
 print_address_description+0x9b/0x650 mm/kasan/report.c:376
 __kasan_report+0x182/0x250 mm/kasan/report.c:508
 kasan_report+0x30/0x60 mm/kasan/common.c:641
 hlist_add_head include/linux/list.h:787 [inline]
 enqueue_timer kernel/time/timer.c:541 [inline]
 __mod_timer+0xa90/0x1c70 kernel/time/timer.c:1062
 mod_peer_timer drivers/net/wireguard/timers.c:37 [inline]
 wg_timers_any_authenticated_packet_traversal+0x129/0x190 drivers/net/wireguard/timers.c:215
 wg_packet_create_data_done drivers/net/wireguard/send.c:248 [inline]
 wg_packet_tx_worker+0x2c4/0x9b0 drivers/net/wireguard/send.c:280
 process_one_work+0x679/0x1030 kernel/workqueue.c:2277
 worker_thread+0xa6f/0x1400 kernel/workqueue.c:2423
 kthread+0x30f/0x330 kernel/kthread.c:268
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:352

Allocated by task 120:
 save_stack mm/kasan/common.c:70 [inline]
 set_track mm/kasan/common.c:78 [inline]
 __kasan_kmalloc+0x137/0x1e0 mm/kasan/common.c:517
 slab_post_alloc_hook mm/slab.h:584 [inline]
 slab_alloc_node mm/slub.c:2821 [inline]
 slab_alloc mm/slub.c:2829 [inline]
 kmem_cache_alloc+0x115/0x290 mm/slub.c:2834
 mempool_alloc_slab+0x16/0x20 mm/mempool.c:513
 mempool_alloc+0x113/0x680 mm/mempool.c:393
 bio_alloc_bioset+0x1db/0x640 block/bio.c:483
 bio_alloc include/linux/bio.h:405 [inline]
 submit_bh_wbc+0x1ba/0x790 fs/buffer.c:3042
 submit_bh+0x21/0x30 fs/buffer.c:3076
 journal_submit_commit_record+0x7b5/0xa70 fs/jbd2/commit.c:154
 jbd2_journal_commit_transaction+0x3b51/0x6440 fs/jbd2/commit.c:877
 kjournald2+0x494/0x8a0 fs/jbd2/journal.c:209
 kthread+0x30f/0x330 kernel/kthread.c:268
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:352

Freed by task 0:
 save_stack mm/kasan/common.c:70 [inline]
 set_track mm/kasan/common.c:78 [inline]
 kasan_set_free_info mm/kasan/common.c:333 [inline]
 __kasan_slab_free+0x18a/0x240 mm/kasan/common.c:475
 slab_free_hook mm/slub.c:1454 [inline]
 slab_free_freelist_hook+0x7b/0x150 mm/slub.c:1492
 slab_free mm/slub.c:3072 [inline]
 kmem_cache_free+0xb8/0x5f0 mm/slub.c:3088
 req_bio_endio block/blk-core.c:247 [inline]
 blk_update_request+0x33b/0xfc0 block/blk-core.c:1478
 blk_mq_end_request+0x39/0x70 block/blk-mq.c:571
 blk_flush_complete_seq+0x5a2/0xd20 block/blk-flush.c:197
 flush_end_io+0x4d6/0x6e0 block/blk-flush.c:248
 scsi_end_request+0x5bc/0x8b0 drivers/scsi/scsi_lib.c:622
 scsi_io_completion+0x1af/0x1bf0 drivers/scsi/scsi_lib.c:968
 blk_done_softirq+0x2f2/0x370 block/blk-softirq.c:37
 __do_softirq+0x23e/0x615 kernel/softirq.c:292

The buggy address belongs to the object at ffff8881e28b7140
 which belongs to the cache bio-0 of size 200
The buggy address is located 136 bytes inside of
 200-byte region [ffff8881e28b7140, ffff8881e28b7208)
The buggy address belongs to the page:
page:ffffea00078a2dc0 refcount:1 mapcount:0 mapping:ffff8881f5044c80 index:0x0
flags: 0x8000000000000200(slab)
raw: 8000000000000200 dead000000000100 dead000000000122 ffff8881f5044c80
raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8881e28b7080: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc
 ffff8881e28b7100: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
>ffff8881e28b7180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                              ^
 ffff8881e28b7200: fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8881e28b7280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2021/02/27 19:39 android12-5.4 55e9d3c6b5f7 4c37c133 .config console log report info ci2-android-5-4-kasan KASAN: use-after-free Write in __mod_timer
* Struck through repros no longer work on HEAD.