syzbot

 sign-in | mailing list | source | docs
🐞 Open [1606]
Subsystems
🐞 Fixed [5937]
🐞 Invalid [14469]
Missing Backports [106]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
Total Repo Heatmap Subsystems Heatmap
💬 Send us feedback

KASAN: use-after-free Read in __queue_work (2)

Status: fixed on 2020/01/08 01:07
Reported-by: syzbot+1c9db6a163a4000d0765@syzkaller.appspotmail.com
Fix commit: 430ac66eb4c5 net/9p/trans_fd.c: fix race-condition by flushing workqueue before the kfree()
First crash: 2362d, last: 2008d
Cause bisection: introduced by (bisect log) :
commit 7594bf37ae9ffc434da425120c576909eb33b0bc
Author: Al Viro <viro@zeniv.linux.org.uk>
Date: Mon Jul 17 02:53:08 2017 +0000

  9p: untangle ->poll() mess

Crash: KASAN: use-after-free Read in __queue_work (log)
Repro: C syz .config
  
Fix bisection: fixed by (bisect log) :
commit 430ac66eb4c5b5c4eb846b78ebf65747510b30f1
Author: Tomas Bortoli <tomasbortoli@gmail.com>
Date: Fri Jul 20 09:27:30 2018 +0000

  net/9p/trans_fd.c: fix race-condition by flushing workqueue before the kfree()

  
Discussions (3)
Title Replies (including bot) Last reply
KASAN: use-after-free Read in __queue_work (2) 0 (3) 2019/12/07 19:45
Reminder: 18 open syzbot bugs in "fs/9p" subsystem 1 (1) 2019/07/24 01:46
Reminder: 18 open syzbot bugs in "fs/9p" subsystem 1 (1) 2019/07/02 06:29
Similar bugs (5)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
android-49 KASAN: use-after-free Read in __queue_work C 19 2322d 2084d 0/3 public: reported C repro on 2019/04/13 00:00
linux-4.19 KASAN: use-after-free Read in __queue_work syz done 5 1234d 1606d 1/1 fixed on 2021/09/10 09:12
linux-4.14 KASAN: use-after-free Read in __queue_work syz error 4 841d 1605d 0/1 upstream: reported syz repro on 2020/08/03 15:06
upstream KASAN: use-after-free Read in __queue_work net syz 2 2653d 2617d 0/28 closed as invalid on 2017/10/27 09:34
upstream KASAN: use-after-free Read in __queue_work (3) bluetooth syz done done 83 771d 1600d 0/28 closed as invalid on 2024/09/06 10:40

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in constant_test_bit arch/x86/include/asm/bitops.h:328 [inline]
BUG: KASAN: use-after-free in work_is_static_object+0x39/0x40 kernel/workqueue.c:442
Read of size 8 at addr ffff8801bfb8ebe0 by task kworker/1:2/1876

CPU: 1 PID: 1876 Comm: kworker/1:2 Not tainted 4.18.0-rc8+ #182
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events p9_poll_workfn
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1c9/0x2b4 lib/dump_stack.c:113
 print_address_description+0x6c/0x20b mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412
 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
 constant_test_bit arch/x86/include/asm/bitops.h:328 [inline]
 work_is_static_object+0x39/0x40 kernel/workqueue.c:442
 debug_object_activate+0x2fc/0x690 lib/debugobjects.c:508
 debug_work_activate kernel/workqueue.c:491 [inline]
 __queue_work+0x1ca/0x1410 kernel/workqueue.c:1380
 queue_work_on+0x19a/0x1e0 kernel/workqueue.c:1486
 queue_work include/linux/workqueue.h:512 [inline]
 schedule_work include/linux/workqueue.h:570 [inline]
 p9_poll_mux net/9p/trans_fd.c:628 [inline]
 p9_poll_workfn+0x55e/0x6d0 net/9p/trans_fd.c:1107
 process_one_work+0xc73/0x1ba0 kernel/workqueue.c:2153
 worker_thread+0x189/0x13c0 kernel/workqueue.c:2296
 kthread+0x345/0x410 kernel/kthread.c:246
 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:412

Allocated by task 5557:
 save_stack+0x43/0xd0 mm/kasan/kasan.c:448
 set_track mm/kasan/kasan.c:460 [inline]
 kasan_kmalloc+0xc4/0xe0 mm/kasan/kasan.c:553
 kmem_cache_alloc_trace+0x152/0x780 mm/slab.c:3620
 kmalloc include/linux/slab.h:513 [inline]
 kzalloc include/linux/slab.h:707 [inline]
 p9_fd_open net/9p/trans_fd.c:796 [inline]
 p9_fd_create+0x1a7/0x3f0 net/9p/trans_fd.c:1036
 p9_client_create+0x8ed/0x1770 net/9p/client.c:1063
 v9fs_session_init+0x21a/0x1a80 fs/9p/v9fs.c:400
 v9fs_mount+0x7c/0x900 fs/9p/vfs_super.c:135
 mount_fs+0xae/0x328 fs/super.c:1277
 vfs_kern_mount.part.34+0xdc/0x4e0 fs/namespace.c:1037
 vfs_kern_mount fs/namespace.c:1027 [inline]
 do_new_mount fs/namespace.c:2518 [inline]
 do_mount+0x581/0x30e0 fs/namespace.c:2848
 ksys_mount+0x12d/0x140 fs/namespace.c:3064
 __do_sys_mount fs/namespace.c:3078 [inline]
 __se_sys_mount fs/namespace.c:3075 [inline]
 __x64_sys_mount+0xbe/0x150 fs/namespace.c:3075
 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 5557:
 save_stack+0x43/0xd0 mm/kasan/kasan.c:448
 set_track mm/kasan/kasan.c:460 [inline]
 __kasan_slab_free+0x11a/0x170 mm/kasan/kasan.c:521
 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
 __cache_free mm/slab.c:3498 [inline]
 kfree+0xd9/0x260 mm/slab.c:3813
 p9_fd_close+0x416/0x5b0 net/9p/trans_fd.c:893
 p9_client_create+0xa9a/0x1770 net/9p/client.c:1077
 v9fs_session_init+0x21a/0x1a80 fs/9p/v9fs.c:400
 v9fs_mount+0x7c/0x900 fs/9p/vfs_super.c:135
 mount_fs+0xae/0x328 fs/super.c:1277
 vfs_kern_mount.part.34+0xdc/0x4e0 fs/namespace.c:1037
 vfs_kern_mount fs/namespace.c:1027 [inline]
 do_new_mount fs/namespace.c:2518 [inline]
 do_mount+0x581/0x30e0 fs/namespace.c:2848
 ksys_mount+0x12d/0x140 fs/namespace.c:3064
 __do_sys_mount fs/namespace.c:3078 [inline]
 __se_sys_mount fs/namespace.c:3075 [inline]
 __x64_sys_mount+0xbe/0x150 fs/namespace.c:3075
 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at ffff8801bfb8eac0
 which belongs to the cache kmalloc-512 of size 512
The buggy address is located 288 bytes inside of
 512-byte region [ffff8801bfb8eac0, ffff8801bfb8ecc0)
The buggy address belongs to the page:
page:ffffea0006fee380 count:1 mapcount:0 mapping:ffff8801dac00940 index:0x0
flags: 0x2fffc0000000100(slab)
raw: 02fffc0000000100 ffffea0006fe2fc8 ffffea0006fee488 ffff8801dac00940
raw: 0000000000000000 ffff8801bfb8e0c0 0000000100000006 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8801bfb8ea80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
 ffff8801bfb8eb00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8801bfb8eb80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                       ^
 ffff8801bfb8ec00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8801bfb8ec80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
==================================================================

Crashes (577):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2018/08/09 20:35 upstream 112cbae26d18 1fb62d58 .config console log report syz C ci-upstream-kasan-gce-root
2018/07/29 18:50 upstream a26fb01c2879 0824d7a1 .config console log report syz C ci-upstream-kasan-gce-root
2018/07/20 16:52 upstream 28c20cc73b9c 49f35839 .config console log report syz C ci-upstream-kasan-gce-root
2018/07/16 07:03 upstream 9d3cce1e8b85 92a49505 .config console log report syz C ci-upstream-kasan-gce-root
2018/07/13 03:28 upstream 63f047771621 06c33b3a .config console log report syz C ci-upstream-kasan-gce-root
2018/07/12 08:09 upstream c25c74b7476e 2e0e3130 .config console log report syz C ci-upstream-kasan-gce-root
2018/07/11 21:42 upstream 1e09177acae3 2e0e3130 .config console log report syz C ci-upstream-kasan-gce-root
2018/07/11 21:17 upstream 1e09177acae3 2e0e3130 .config console log report syz C ci-upstream-kasan-gce-root
2018/07/11 16:28 upstream 1e09177acae3 2e0e3130 .config console log report syz C ci-upstream-kasan-gce
2018/07/11 12:32 upstream 1e09177acae3 2e0e3130 .config console log report syz C ci-upstream-kasan-gce
2018/07/11 11:44 upstream 1e09177acae3 2e0e3130 .config console log report syz C ci-upstream-kasan-gce-root
2018/07/11 04:10 upstream 30c2c32d7f70 2e0e3130 .config console log report syz C ci-upstream-kasan-gce-root
2018/07/11 03:27 upstream 30c2c32d7f70 2e0e3130 .config console log report syz C ci-upstream-kasan-gce-root
2018/07/11 03:02 upstream 30c2c32d7f70 2e0e3130 .config console log report syz C ci-upstream-kasan-gce-root
2018/07/11 00:14 upstream 30c2c32d7f70 2e0e3130 .config console log report syz C ci-upstream-kasan-gce
2018/07/10 19:34 upstream 092150a25cb7 9fa03fa5 .config console log report syz C ci-upstream-kasan-gce-root
2018/07/10 16:51 upstream 092150a25cb7 9fa03fa5 .config console log report syz C ci-upstream-kasan-gce
2018/07/10 08:03 upstream 092150a25cb7 f25e5770 .config console log report syz C ci-upstream-kasan-gce-root
2018/07/10 04:37 upstream 092150a25cb7 f25e5770 .config console log report syz C ci-upstream-kasan-gce-root
2018/07/10 01:37 upstream 092150a25cb7 f25e5770 .config console log report syz C ci-upstream-kasan-gce
2018/07/09 21:03 upstream 1e4b044d2251 f25e5770 .config console log report syz C ci-upstream-kasan-gce-root
2018/07/09 20:39 upstream 1e4b044d2251 f25e5770 .config console log report syz C ci-upstream-kasan-gce-root
2018/07/09 13:52 upstream 1e4b044d2251 f25e5770 .config console log report syz C ci-upstream-kasan-gce
2018/07/09 09:02 upstream ca04b3cca11a f25e5770 .config console log report syz C ci-upstream-kasan-gce
2018/07/09 08:50 upstream ca04b3cca11a f25e5770 .config console log report syz C ci-upstream-kasan-gce-root
2018/07/09 07:38 upstream ca04b3cca11a f25e5770 .config console log report syz C ci-upstream-kasan-gce
2018/07/09 06:37 upstream ca04b3cca11a f25e5770 .config console log report syz C ci-upstream-kasan-gce-root
2018/07/08 23:46 upstream ca04b3cca11a f25e5770 .config console log report syz C ci-upstream-kasan-gce
2018/07/08 23:42 upstream ca04b3cca11a f25e5770 .config console log report syz C ci-upstream-kasan-gce-root
2018/07/10 03:42 upstream 092150a25cb7 f25e5770 .config console log report syz C ci-upstream-kasan-gce-386
2018/07/10 03:08 upstream 092150a25cb7 f25e5770 .config console log report syz C ci-upstream-kasan-gce-386
2018/07/09 22:56 upstream 1e4b044d2251 f25e5770 .config console log report syz C ci-upstream-kasan-gce-386
2018/07/18 15:35 linux-next 0b742fe187f7 809256c3 .config console log report syz C ci-upstream-linux-next-kasan-gce-root
2018/07/15 21:41 linux-next 483d835c8189 92a49505 .config console log report syz C ci-upstream-linux-next-kasan-gce-root
2018/07/13 21:24 linux-next 483d835c8189 92a49505 .config console log report syz C ci-upstream-linux-next-kasan-gce-root
2018/07/13 16:48 linux-next 483d835c8189 92a49505 .config console log report syz C ci-upstream-linux-next-kasan-gce-root
2018/07/13 15:19 linux-next 483d835c8189 92a49505 .config console log report syz C ci-upstream-linux-next-kasan-gce-root
2018/07/13 14:55 linux-next 483d835c8189 92a49505 .config console log report syz C ci-upstream-linux-next-kasan-gce-root
2018/07/13 12:29 linux-next 483d835c8189 92a49505 .config console log report syz C ci-upstream-linux-next-kasan-gce-root
2018/07/12 11:59 linux-next 3ee15ba60e6b 06c33b3a .config console log report syz C ci-upstream-linux-next-kasan-gce-root
2018/07/11 20:29 linux-next 98be45067040 2e0e3130 .config console log report syz C ci-upstream-linux-next-kasan-gce-root
2018/07/10 12:12 linux-next 3951bd9fe3e2 9fa03fa5 .config console log report syz C ci-upstream-linux-next-kasan-gce-root
2018/07/10 09:43 linux-next 3951bd9fe3e2 9fa03fa5 .config console log report syz C ci-upstream-linux-next-kasan-gce-root
2018/07/09 20:49 linux-next d00d6d9a339d f25e5770 .config console log report syz C ci-upstream-linux-next-kasan-gce-root
2018/07/09 19:33 linux-next d00d6d9a339d f25e5770 .config console log report syz C ci-upstream-linux-next-kasan-gce-root
2018/07/09 16:29 linux-next d00d6d9a339d f25e5770 .config console log report syz C ci-upstream-linux-next-kasan-gce-root
2019/06/27 18:46 upstream 249155c20f9b 7509bf36 .config console log report syz ci-upstream-kasan-gce-smack-root
2018/07/09 01:51 upstream ca04b3cca11a f25e5770 .config console log report syz ci-upstream-kasan-gce-root
2019/06/27 19:09 upstream 249155c20f9b 7509bf36 .config console log report syz ci-upstream-kasan-gce-386
2018/07/09 09:24 upstream ca04b3cca11a f25e5770 .config console log report syz ci-upstream-kasan-gce-386
2018/07/09 05:21 upstream ca04b3cca11a f25e5770 .config console log report syz ci-upstream-kasan-gce-386
2018/07/09 01:46 upstream ca04b3cca11a f25e5770 .config console log report syz ci-upstream-kasan-gce-386
2018/07/08 23:45 upstream ca04b3cca11a f25e5770 .config console log report syz ci-upstream-kasan-gce-386
2018/08/18 01:34 upstream edb0a2000936 738da825 .config console log report ci-upstream-kasan-gce-root
2018/08/18 00:25 upstream edb0a2000936 738da825 .config console log report ci-upstream-kasan-gce-root
2018/08/17 22:40 upstream edb0a2000936 738da825 .config console log report ci-upstream-kasan-gce-root
2018/08/17 19:17 upstream 5c60a7389d79 738da825 .config console log report ci-upstream-kasan-gce-root
2018/08/17 13:00 upstream 5c60a7389d79 9ccc1d45 .config console log report ci-upstream-kasan-gce-root
2018/08/17 09:43 upstream 5c60a7389d79 9ccc1d45 .config console log report ci-upstream-kasan-gce-root
2018/08/17 02:55 upstream f91e654474d4 9ccc1d45 .config console log report ci-upstream-kasan-gce-root
2018/08/16 21:38 upstream f91e654474d4 9ccc1d45 .config console log report ci-upstream-kasan-gce-root
2018/08/16 14:25 upstream f91e654474d4 9ccc1d45 .config console log report ci-upstream-kasan-gce-root
2018/08/16 12:29 upstream dafa5f6577a9 9ccc1d45 .config console log report ci-upstream-kasan-gce-root
2018/08/16 11:14 upstream dafa5f6577a9 9ccc1d45 .config console log report ci-upstream-kasan-gce-root
2018/08/16 11:14 upstream dafa5f6577a9 9ccc1d45 .config console log report ci-upstream-kasan-gce-root
2018/08/16 07:35 upstream dafa5f6577a9 9ccc1d45 .config console log report ci-upstream-kasan-gce-root
2018/08/16 01:04 upstream dafa5f6577a9 9ccc1d45 .config console log report ci-upstream-kasan-gce-root
2018/08/15 21:38 upstream 31130a16d459 9ccc1d45 .config console log report ci-upstream-kasan-gce-root
2018/08/15 13:16 upstream 31130a16d459 9ccc1d45 .config console log report ci-upstream-kasan-gce-root
2018/08/15 11:32 upstream 31130a16d459 9ccc1d45 .config console log report ci-upstream-kasan-gce-root
2018/08/15 08:26 upstream d0055f351e64 0e6dcb88 .config console log report ci-upstream-kasan-gce-root
2018/08/15 01:29 upstream d0055f351e64 0e6dcb88 .config console log report ci-upstream-kasan-gce-root
2018/08/14 13:38 upstream 10f3e23f07cb 7a88b141 .config console log report ci-upstream-kasan-gce-root
2018/08/14 11:06 upstream 7796916146b8 7a88b141 .config console log report ci-upstream-kasan-gce-root
2018/08/14 08:44 upstream 7796916146b8 7a88b141 .config console log report ci-upstream-kasan-gce-root
2018/08/13 23:19 upstream 7796916146b8 7a88b141 .config console log report ci-upstream-kasan-gce-root
2018/08/13 20:36 upstream 94710cac0ef4 7a88b141 .config console log report ci-upstream-kasan-gce-root
2018/08/13 20:07 upstream 94710cac0ef4 7a88b141 .config console log report ci-upstream-kasan-gce-root
2018/08/13 16:32 upstream 94710cac0ef4 7a88b141 .config console log report ci-upstream-kasan-gce-root
2018/08/13 15:30 upstream 94710cac0ef4 7a88b141 .config console log report ci-upstream-kasan-gce-root
2018/08/13 13:15 upstream 94710cac0ef4 7a88b141 .config console log report ci-upstream-kasan-gce-root
2018/08/13 06:01 upstream d6dd6431591b 7a88b141 .config console log report ci-upstream-kasan-gce-root
2018/08/13 04:39 upstream d6dd6431591b 7a88b141 .config console log report ci-upstream-kasan-gce-root
2018/08/13 03:05 upstream d6dd6431591b 7a88b141 .config console log report ci-upstream-kasan-gce-root
2018/08/13 00:59 upstream d6dd6431591b 7a88b141 .config console log report ci-upstream-kasan-gce-root
2018/08/12 23:14 upstream d6dd6431591b 7a88b141 .config console log report ci-upstream-kasan-gce-root
2018/08/12 21:34 upstream d6dd6431591b 7a88b141 .config console log report ci-upstream-kasan-gce-root
2018/08/12 18:17 upstream ec0c96714e7d 7a88b141 .config console log report ci-upstream-kasan-gce-root
2018/08/12 17:17 upstream ec0c96714e7d 7a88b141 .config console log report ci-upstream-kasan-gce-root
2018/08/12 16:07 upstream ec0c96714e7d 7a88b141 .config console log report ci-upstream-kasan-gce-root
2018/08/12 14:24 upstream ec0c96714e7d 7a88b141 .config console log report ci-upstream-kasan-gce-root
2018/08/12 13:23 upstream ec0c96714e7d 7a88b141 .config console log report ci-upstream-kasan-gce-root
2018/08/12 11:47 upstream ec0c96714e7d 7a88b141 .config console log report ci-upstream-kasan-gce-root
2018/07/12 04:49 upstream c25c74b7476e 2e0e3130 .config console log report ci-upstream-kasan-gce
2018/07/12 09:19 upstream c25c74b7476e 2e0e3130 .config console log report ci-upstream-kasan-gce-386
2018/07/21 19:06 linux-next 89cf55353308 8cc079c3 .config console log report ci-upstream-linux-next-kasan-gce-root
* Struck through repros no longer work on HEAD.