syzbot |
sign-in | mailing list | source | docs |
| 🐞 Open [993] ≡ Subsystems 🐞 Fixed [5244] 🐞 Invalid [12515] ⬇ Missing Backports [83] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes | 💬 Send us feedback |
================================================================== BUG: KASAN: use-after-free in kernfs_root fs/kernfs/kernfs-internal.h:50 [inline] BUG: KASAN: use-after-free in kernfs_active+0x6e/0xea fs/kernfs/dir.c:28 Read of size 8 at addr ffffaf80227a00e8 by task kworker/u4:5/856 CPU: 0 PID: 856 Comm: kworker/u4:5 Not tainted 5.17.0-rc1-syzkaller-00002-g0966d385830d #0 Hardware name: riscv-virtio,qemu (DT) Workqueue: netns cleanup_net Call Trace: [<ffffffff8000a228>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:113 [<ffffffff831668cc>] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:119 [<ffffffff831756ba>] __dump_stack lib/dump_stack.c:88 [inline] [<ffffffff831756ba>] dump_stack_lvl+0xe4/0x150 lib/dump_stack.c:106 [<ffffffff8047479e>] print_address_description.constprop.0+0x2a/0x330 mm/kasan/report.c:255 [<ffffffff80474d4c>] __kasan_report mm/kasan/report.c:442 [inline] [<ffffffff80474d4c>] kasan_report+0x184/0x1e0 mm/kasan/report.c:459 [<ffffffff80475b20>] check_region_inline mm/kasan/generic.c:183 [inline] [<ffffffff80475b20>] __asan_load8+0x6e/0x96 mm/kasan/generic.c:256 [<ffffffff806676c6>] kernfs_root fs/kernfs/kernfs-internal.h:50 [inline] [<ffffffff806676c6>] kernfs_active+0x6e/0xea fs/kernfs/dir.c:28 [<ffffffff80668c0e>] __kernfs_remove+0x1a8/0x804 fs/kernfs/dir.c:1345 [<ffffffff8066b1ee>] kernfs_remove+0x56/0x70 fs/kernfs/dir.c:1403 [<ffffffff80671b24>] sysfs_remove_group+0x80/0xee fs/sysfs/group.c:290 [<ffffffff80672c86>] sysfs_remove_groups fs/sysfs/group.c:312 [inline] [<ffffffff80672c86>] sysfs_remove_groups+0x50/0x78 fs/sysfs/group.c:304 [<ffffffff813deb28>] device_remove_groups drivers/base/core.c:2478 [inline] [<ffffffff813deb28>] device_remove_attrs+0xa0/0x10a drivers/base/core.c:2678 [<ffffffff813e183c>] device_del+0x328/0x730 drivers/base/core.c:3591 [<ffffffff827bda8e>] netdev_unregister_kobject+0x118/0x12c net/core/net-sysfs.c:1974 [<ffffffff8272cfe8>] unregister_netdevice_many+0xa2e/0xf50 net/core/dev.c:10442 [<ffffffff82c155da>] ip_tunnel_delete_nets+0x348/0x4e2 net/ipv4/ip_tunnel.c:1123 [<ffffffff82c4982a>] vti_exit_batch_net+0x2a/0x34 net/ipv4/ip_vti.c:515 [<ffffffff8270dc76>] ops_exit_list+0xcc/0xe8 net/core/net_namespace.c:173 [<ffffffff8270f544>] cleanup_net+0x430/0x732 net/core/net_namespace.c:597 [<ffffffff80093b44>] process_one_work+0x654/0xffe kernel/workqueue.c:2307 [<ffffffff8009484e>] worker_thread+0x360/0x8fa kernel/workqueue.c:2454 [<ffffffff800a7f58>] kthread+0x19e/0x1fa kernel/kthread.c:377 [<ffffffff80005724>] ret_from_exception+0x0/0x10 The buggy address belongs to the page: page:ffffaf807affb500 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xa29a0 flags: 0xa000000000(section=20|node=0|zone=0) raw: 000000a000000000 ffffaf807af8e428 ffffaf807aac8828 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 raw: 00000000000007ff page dumped because: kasan: bad access detected page_owner tracks the page as freed page last allocated via order 2, migratetype Unmovable, gfp_mask 0x400dc0(GFP_KERNEL_ACCOUNT|__GFP_ZERO), pid 2067, ts 1355774348100, free_ts 1355933418600 __set_page_owner+0x48/0x136 mm/page_owner.c:183 set_page_owner include/linux/page_owner.h:31 [inline] post_alloc_hook+0xd0/0x10a mm/page_alloc.c:2427 prep_new_page mm/page_alloc.c:2434 [inline] get_page_from_freelist+0x8da/0x12d8 mm/page_alloc.c:4165 __alloc_pages+0x150/0x3b6 mm/page_alloc.c:5389 __alloc_pages_node include/linux/gfp.h:572 [inline] alloc_pages_node include/linux/gfp.h:595 [inline] alloc_thread_stack_node kernel/fork.c:262 [inline] dup_task_struct kernel/fork.c:887 [inline] copy_process+0x482/0x3c34 kernel/fork.c:1998 kernel_clone+0xee/0x920 kernel/fork.c:2555 kernel_thread+0xf8/0x130 kernel/fork.c:2607 call_usermodehelper_exec_work kernel/umh.c:174 [inline] call_usermodehelper_exec_work+0xc8/0x122 kernel/umh.c:160 process_one_work+0x654/0xffe kernel/workqueue.c:2307 worker_thread+0x360/0x8fa kernel/workqueue.c:2454 kthread+0x19e/0x1fa kernel/kthread.c:377 ret_from_exception+0x0/0x10 page last free stack trace: __reset_page_owner+0x4a/0xea mm/page_owner.c:142 reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1352 [inline] free_pcp_prepare+0x29c/0x45e mm/page_alloc.c:1404 free_unref_page_prepare mm/page_alloc.c:3325 [inline] free_unref_page+0x6a/0x31e mm/page_alloc.c:3404 free_the_page mm/page_alloc.c:706 [inline] __free_pages+0xe2/0x112 mm/page_alloc.c:5474 free_thread_stack kernel/fork.c:297 [inline] release_task_stack kernel/fork.c:434 [inline] put_task_stack+0x1d0/0x2b0 kernel/fork.c:445 finish_task_switch.isra.0+0x3ce/0x420 kernel/sched/core.c:4898 context_switch kernel/sched/core.c:4989 [inline] __schedule+0x58e/0x118e kernel/sched/core.c:6296 preempt_schedule_common+0x4e/0xde kernel/sched/core.c:6462 preempt_schedule+0x34/0x36 kernel/sched/core.c:6487 __raw_spin_unlock include/linux/spinlock_api_smp.h:143 [inline] _raw_spin_unlock+0x60/0x6a kernel/locking/spinlock.c:186 spin_unlock include/linux/spinlock.h:389 [inline] nsim_dev_trap_report drivers/net/netdevsim/dev.c:820 [inline] nsim_dev_trap_report_work+0x556/0x5e4 drivers/net/netdevsim/dev.c:843 process_one_work+0x654/0xffe kernel/workqueue.c:2307 worker_thread+0x360/0x8fa kernel/workqueue.c:2454 kthread+0x19e/0x1fa kernel/kthread.c:377 ret_from_exception+0x0/0x10 Memory state around the buggy address: ffffaf802279ff80: fc fc fc fc 00 00 00 00 00 00 00 00 fc fc fc fc ffffaf80227a0000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffffaf80227a0080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffffaf80227a0100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffffaf80227a0180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ================================================================== Unable to handle kernel NULL pointer dereference at virtual address 0000000000000140 Oops [#1] Modules linked in: CPU: 1 PID: 856 Comm: kworker/u4:5 Tainted: G B 5.17.0-rc1-syzkaller-00002-g0966d385830d #0 Hardware name: riscv-virtio,qemu (DT) Workqueue: netns cleanup_net epc : __up_write kernel/locking/rwsem.c:1309 [inline] epc : up_write+0x50/0x250 kernel/locking/rwsem.c:1567 ra : __up_write kernel/locking/rwsem.c:1309 [inline] ra : up_write+0x50/0x250 kernel/locking/rwsem.c:1567 epc : ffffffff801085ec ra : ffffffff801085ec sp : ffffaf800e25f530 gp : ffffffff85863ac0 tp : ffffaf800e49e100 t0 : ffffaf800e6ef640 t1 : fffff5ef044f3fd0 t2 : 0000000000000001 s0 : ffffaf800e25f590 s1 : 00000000000000d8 a0 : 0000000000000000 a1 : 0000000000000008 a2 : 0000000000000000 a3 : ffffffff801085ec a4 : ffffffff85892ec8 a5 : 0000000000000001 a6 : 0000000000f00000 a7 : ffffaf802279fe87 s2 : 00000000000000e0 s3 : ffffffff85899680 s4 : 0000000000000140 s5 : 0000000000000000 s6 : ffffaf800e25f5f0 s7 : ffffaf802279feb0 s8 : ffffaf800d4d9f18 s9 : 00000000000000d8 s10: ffffaf800c396a24 s11: ffffaf805a9f5c90 t3 : 0000000000000c89 t4 : fffff5ef044f3fd0 t5 : fffff5ef044f3fd1 t6 : 0000000000000002 status: 0000000000000120 badaddr: 0000000000000140 cause: 000000000000000d [<ffffffff80668dba>] kernfs_drain fs/kernfs/dir.c:467 [inline] [<ffffffff80668dba>] __kernfs_remove+0x354/0x804 fs/kernfs/dir.c:1367 [<ffffffff8066b1ee>] kernfs_remove+0x56/0x70 fs/kernfs/dir.c:1403 [<ffffffff80671b24>] sysfs_remove_group+0x80/0xee fs/sysfs/group.c:290 [<ffffffff80672c86>] sysfs_remove_groups fs/sysfs/group.c:312 [inline] [<ffffffff80672c86>] sysfs_remove_groups+0x50/0x78 fs/sysfs/group.c:304 [<ffffffff813deb28>] device_remove_groups drivers/base/core.c:2478 [inline] [<ffffffff813deb28>] device_remove_attrs+0xa0/0x10a drivers/base/core.c:2678 [<ffffffff813e183c>] device_del+0x328/0x730 drivers/base/core.c:3591 [<ffffffff827bda8e>] netdev_unregister_kobject+0x118/0x12c net/core/net-sysfs.c:1974 [<ffffffff8272cfe8>] unregister_netdevice_many+0xa2e/0xf50 net/core/dev.c:10442 [<ffffffff82c155da>] ip_tunnel_delete_nets+0x348/0x4e2 net/ipv4/ip_tunnel.c:1123 [<ffffffff82c4982a>] vti_exit_batch_net+0x2a/0x34 net/ipv4/ip_vti.c:515 [<ffffffff8270dc76>] ops_exit_list+0xcc/0xe8 net/core/net_namespace.c:173 [<ffffffff8270f544>] cleanup_net+0x430/0x732 net/core/net_namespace.c:597 [<ffffffff80093b44>] process_one_work+0x654/0xffe kernel/workqueue.c:2307 [<ffffffff8009484e>] worker_thread+0x360/0x8fa kernel/workqueue.c:2454 [<ffffffff800a7f58>] kthread+0x19e/0x1fa kernel/kthread.c:377 [<ffffffff80005724>] ret_from_exception+0x0/0x10 ---[ end trace 0000000000000000 ]---
| Time | Kernel | Commit | Syzkaller | Config | Log | Report | Syz repro | C repro | VM info | Assets (help?) | Manager | Title |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2022/06/03 03:00 | git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes | 0966d385830d | 5783034f | .config | console log | report | info | ci-qemu2-riscv64 | KASAN: use-after-free Read in kernfs_active |