syzbot


KASAN: use-after-free Read in kernfs_next_descendant_post (2)

Status: upstream: reported on 2021/10/04 12:57
Reported-by: syzbot+6bc35f3913193fe7f0d3@syzkaller.appspotmail.com
First crash: 363d, last: 2d01h
similar bugs (1):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: use-after-free Read in kernfs_next_descendant_post 1 519d 515d 0/24 auto-closed as invalid on 2021/08/25 09:05

Sample crash report:
usb 2-1: Direct firmware load for ueagle-atm/eagleI.fw failed with error -2
usb 2-1: Falling back to sysfs fallback for: ueagle-atm/eagleI.fw
==================================================================
BUG: KASAN: use-after-free in kernfs_root fs/kernfs/kernfs-internal.h:66 [inline]
BUG: KASAN: use-after-free in kernfs_next_descendant_post+0x2cd/0x2f0 fs/kernfs/dir.c:1288
Read of size 8 at addr ffff888026a16ce0 by task kworker/1:5/3696

CPU: 1 PID: 3696 Comm: kworker/1:5 Not tainted 6.0.0-rc7-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022
Workqueue: events request_firmware_work_func
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:317 [inline]
 print_report.cold+0x2ba/0x6e9 mm/kasan/report.c:433
 kasan_report+0xb1/0x1e0 mm/kasan/report.c:495
 kernfs_root fs/kernfs/kernfs-internal.h:66 [inline]
 kernfs_next_descendant_post+0x2cd/0x2f0 fs/kernfs/dir.c:1288
 kernfs_activate+0x97/0x240 fs/kernfs/dir.c:1328
 kernfs_add_one+0x3c6/0x550 fs/kernfs/dir.c:775
 kernfs_create_link+0x19f/0x230 fs/kernfs/symlink.c:48
 sysfs_do_create_link_sd+0x90/0x140 fs/sysfs/symlink.c:44
 sysfs_do_create_link fs/sysfs/symlink.c:80 [inline]
 sysfs_create_link+0x5f/0xc0 fs/sysfs/symlink.c:92
 device_add_class_symlinks drivers/base/core.c:3239 [inline]
 device_add+0x5de/0x1e90 drivers/base/core.c:3465
 fw_load_sysfs_fallback drivers/base/firmware_loader/fallback.c:82 [inline]
 fw_load_from_user_helper drivers/base/firmware_loader/fallback.c:158 [inline]
 firmware_fallback_sysfs+0x2d5/0xba0 drivers/base/firmware_loader/fallback.c:234
 _request_firmware+0xbca/0x1190 drivers/base/firmware_loader/main.c:856
 request_firmware_work_func+0xdd/0x230 drivers/base/firmware_loader/main.c:1105
 process_one_work+0x991/0x1610 kernel/workqueue.c:2289
 worker_thread+0x665/0x1080 kernel/workqueue.c:2436
 kthread+0x2e4/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306
 </TASK>

Allocated by task 3696:
 kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
 kasan_set_track mm/kasan/common.c:45 [inline]
 set_alloc_info mm/kasan/common.c:437 [inline]
 __kasan_slab_alloc+0x85/0xb0 mm/kasan/common.c:470
 kasan_slab_alloc include/linux/kasan.h:224 [inline]
 slab_post_alloc_hook mm/slab.h:727 [inline]
 slab_alloc mm/slab.c:3294 [inline]
 __kmem_cache_alloc_lru mm/slab.c:3471 [inline]
 kmem_cache_alloc+0x214/0x520 mm/slab.c:3491
 kmem_cache_zalloc include/linux/slab.h:723 [inline]
 __kernfs_new_node+0xd4/0x8b0 fs/kernfs/dir.c:593
 kernfs_new_node+0x93/0x120 fs/kernfs/dir.c:655
 kernfs_create_link+0xcb/0x230 fs/kernfs/symlink.c:39
 sysfs_do_create_link_sd+0x90/0x140 fs/sysfs/symlink.c:44
 sysfs_do_create_link fs/sysfs/symlink.c:80 [inline]
 sysfs_create_link+0x5f/0xc0 fs/sysfs/symlink.c:92
 device_add_class_symlinks drivers/base/core.c:3239 [inline]
 device_add+0x5de/0x1e90 drivers/base/core.c:3465
 fw_load_sysfs_fallback drivers/base/firmware_loader/fallback.c:82 [inline]
 fw_load_from_user_helper drivers/base/firmware_loader/fallback.c:158 [inline]
 firmware_fallback_sysfs+0x2d5/0xba0 drivers/base/firmware_loader/fallback.c:234
 _request_firmware+0xbca/0x1190 drivers/base/firmware_loader/main.c:856
 request_firmware_work_func+0xdd/0x230 drivers/base/firmware_loader/main.c:1105
 process_one_work+0x991/0x1610 kernel/workqueue.c:2289
 worker_thread+0x665/0x1080 kernel/workqueue.c:2436
 kthread+0x2e4/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306

Freed by task 2586:
 kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
 kasan_set_track+0x21/0x30 mm/kasan/common.c:45
 kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:370
 ____kasan_slab_free mm/kasan/common.c:367 [inline]
 ____kasan_slab_free+0x13d/0x1a0 mm/kasan/common.c:329
 kasan_slab_free include/linux/kasan.h:200 [inline]
 __cache_free mm/slab.c:3418 [inline]
 kmem_cache_free.part.0+0x10f/0x2e0 mm/slab.c:3725
 kernfs_put.part.0+0x2c4/0x540 fs/kernfs/dir.c:547
 kernfs_put+0x42/0x50 fs/kernfs/dir.c:521
 __kernfs_remove+0x7a6/0xb50 fs/kernfs/dir.c:1407
 kernfs_remove+0x77/0xa0 fs/kernfs/dir.c:1427
 sysfs_remove_dir+0xc1/0x100 fs/sysfs/dir.c:101
 __kobject_del+0xe2/0x1f0 lib/kobject.c:588
 kobject_del lib/kobject.c:611 [inline]
 kobject_del+0x3c/0x60 lib/kobject.c:603
 device_del+0x81c/0xc80 drivers/base/core.c:3715
 usb_disconnect.cold+0x49b/0x6ed drivers/usb/core/hub.c:2261
 hub_port_connect drivers/usb/core/hub.c:5197 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5497 [inline]
 port_event drivers/usb/core/hub.c:5653 [inline]
 hub_event+0x1f86/0x4610 drivers/usb/core/hub.c:5735
 process_one_work+0x991/0x1610 kernel/workqueue.c:2289
 process_scheduled_works kernel/workqueue.c:2352 [inline]
 worker_thread+0x854/0x1080 kernel/workqueue.c:2438
 kthread+0x2e4/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306

The buggy address belongs to the object at ffff888026a16cb0
 which belongs to the cache kernfs_node_cache of size 168
The buggy address is located 48 bytes inside of
 168-byte region [ffff888026a16cb0, ffff888026a16d58)

The buggy address belongs to the physical page:
page:ffffea00009a8580 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x26a16
flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000200 ffffea00007f2d48 ffffea0000859d08 ffff888140166200
raw: 0000000000000000 ffff888026a16000 0000000100000011 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2420c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_COMP|__GFP_THISNODE), pid 3641, tgid 3641 (syz-executor.5), ts 185366001283, free_ts 185275323285
 prep_new_page mm/page_alloc.c:2532 [inline]
 get_page_from_freelist+0x109b/0x2ce0 mm/page_alloc.c:4283
 __alloc_pages+0x1c7/0x510 mm/page_alloc.c:5515
 __alloc_pages_node include/linux/gfp.h:243 [inline]
 kmem_getpages mm/slab.c:1363 [inline]
 cache_grow_begin+0x75/0x360 mm/slab.c:2569
 cache_alloc_refill+0x27f/0x380 mm/slab.c:2942
 ____cache_alloc mm/slab.c:3018 [inline]
 ____cache_alloc mm/slab.c:3001 [inline]
 __do_cache_alloc mm/slab.c:3246 [inline]
 slab_alloc mm/slab.c:3287 [inline]
 __kmem_cache_alloc_lru mm/slab.c:3471 [inline]
 kmem_cache_alloc+0x433/0x520 mm/slab.c:3491
 kmem_cache_zalloc include/linux/slab.h:723 [inline]
 __kernfs_new_node+0xd4/0x8b0 fs/kernfs/dir.c:593
 kernfs_new_node+0x93/0x120 fs/kernfs/dir.c:655
 __kernfs_create_file+0x51/0x350 fs/kernfs/file.c:1050
 sysfs_add_file_mode_ns+0x20f/0x3f0 fs/sysfs/file.c:294
 create_files fs/sysfs/group.c:64 [inline]
 internal_create_group+0x322/0xb10 fs/sysfs/group.c:148
 netdev_queue_add_kobject net/core/net-sysfs.c:1672 [inline]
 netdev_queue_update_kobjects+0x3aa/0x4e0 net/core/net-sysfs.c:1718
 register_queue_kobjects net/core/net-sysfs.c:1779 [inline]
 netdev_register_kobject+0x330/0x400 net/core/net-sysfs.c:2019
 register_netdevice+0xe01/0x1680 net/core/dev.c:10070
 veth_newlink+0x33f/0x9a0 drivers/net/veth.c:1764
 rtnl_newlink_create net/core/rtnetlink.c:3363 [inline]
 __rtnl_newlink+0x1087/0x17e0 net/core/rtnetlink.c:3580
 rtnl_newlink+0x64/0xa0 net/core/rtnetlink.c:3593
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1449 [inline]
 free_pcp_prepare+0x5e4/0xd20 mm/page_alloc.c:1499
 free_unref_page_prepare mm/page_alloc.c:3380 [inline]
 free_unref_page+0x19/0x4d0 mm/page_alloc.c:3476
 slab_destroy mm/slab.c:1615 [inline]
 slabs_destroy+0x89/0xc0 mm/slab.c:1635
 cache_flusharray mm/slab.c:3389 [inline]
 ___cache_free+0x2a8/0x3d0 mm/slab.c:3452
 qlink_free mm/kasan/quarantine.c:168 [inline]
 qlist_free_all+0x4f/0x1b0 mm/kasan/quarantine.c:187
 kasan_quarantine_reduce+0x180/0x200 mm/kasan/quarantine.c:294
 __kasan_slab_alloc+0x97/0xb0 mm/kasan/common.c:447
 kasan_slab_alloc include/linux/kasan.h:224 [inline]
 slab_post_alloc_hook mm/slab.h:727 [inline]
 slab_alloc mm/slab.c:3294 [inline]
 __kmem_cache_alloc_lru mm/slab.c:3471 [inline]
 kmem_cache_alloc+0x214/0x520 mm/slab.c:3491
 kmem_cache_zalloc include/linux/slab.h:723 [inline]
 __kernfs_new_node+0xd4/0x8b0 fs/kernfs/dir.c:593
 kernfs_new_node+0x93/0x120 fs/kernfs/dir.c:655
 __kernfs_create_file+0x51/0x350 fs/kernfs/file.c:1050
 sysfs_add_file_mode_ns+0x20f/0x3f0 fs/sysfs/file.c:294
 create_files fs/sysfs/group.c:64 [inline]
 internal_create_group+0x322/0xb10 fs/sysfs/group.c:148
 internal_create_groups.part.0+0x90/0x140 fs/sysfs/group.c:188
 internal_create_groups fs/sysfs/group.c:184 [inline]
 sysfs_create_groups+0x25/0x50 fs/sysfs/group.c:214
 create_dir lib/kobject.c:68 [inline]
 kobject_add_internal+0x318/0x8f0 lib/kobject.c:223

Memory state around the buggy address:
 ffff888026a16b80: fb fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb
 ffff888026a16c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
>ffff888026a16c80: fc fc fc fc fc fc fa fb fb fb fb fb fb fb fb fb
                                                       ^
 ffff888026a16d00: fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc
 ffff888026a16d80: fc fc fc 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================

Crashes (32):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-upstream-kasan-gce-selinux-root 2022/09/26 13:51 upstream f76349cf4145 d59ba983 .config log report info KASAN: use-after-free Read in kernfs_next_descendant_post
ci-upstream-kasan-gce 2022/09/24 21:22 upstream a63f2e7cb110 0042f2b4 .config log report info KASAN: use-after-free Read in kernfs_next_descendant_post
ci-upstream-kasan-gce-root 2022/08/07 21:27 upstream 200e340f2196 88e3a122 .config log report info KASAN: use-after-free Read in kernfs_next_descendant_post
ci-qemu-upstream 2022/07/31 17:29 upstream 6a010258447d fef302b1 .config log report info KASAN: use-after-free Read in kernfs_next_descendant_post
ci-upstream-kasan-gce-root 2022/06/26 02:15 upstream 8c23f235a6a8 a371c43c .config log report info KASAN: use-after-free Read in kernfs_next_descendant_post
ci-qemu-upstream 2022/06/05 12:23 upstream d0e60d46bc03 c8857892 .config log report info KASAN: use-after-free Read in kernfs_next_descendant_post
ci-qemu-upstream 2022/05/25 08:59 upstream 0350785b0a09 647c0e27 .config log report info KASAN: use-after-free Read in kernfs_next_descendant_post
ci-qemu-upstream 2022/05/25 08:58 upstream 0350785b0a09 647c0e27 .config log report info KASAN: use-after-free Read in kernfs_next_descendant_post
ci-qemu-upstream 2022/04/29 06:28 upstream 259b897e5a79 e9076525 .config log report info KASAN: use-after-free Read in kernfs_next_descendant_post
ci-upstream-kasan-gce-root 2022/04/26 14:37 upstream d615b5416f8a 1fa34c1b .config log report info KASAN: use-after-free Read in kernfs_next_descendant_post
ci-upstream-kasan-gce-root 2022/03/30 00:19 upstream 1930a6e739c4 6bdac766 .config log report info KASAN: use-after-free Read in kernfs_next_descendant_post
ci-upstream-kasan-gce 2022/01/25 12:52 upstream a08b41ab9e2e 2cbffd88 .config log report info KASAN: use-after-free Read in kernfs_next_descendant_post
ci-upstream-kasan-gce-root 2022/01/16 07:29 upstream a33f5c380c4b 723cfaf0 .config log report info KASAN: use-after-free Read in kernfs_next_descendant_post
ci-upstream-kasan-gce-selinux-root 2021/12/27 12:40 upstream fc74e0a40e4f e4f103c4 .config log report info KASAN: use-after-free Read in kernfs_next_descendant_post
ci-upstream-kasan-gce-root 2021/12/27 12:36 upstream fc74e0a40e4f e4f103c4 .config log report info KASAN: use-after-free Read in kernfs_next_descendant_post
ci-upstream-kasan-gce 2021/09/30 11:34 upstream 02d5e016800d be530f6c .config log report info KASAN: use-after-free Read in kernfs_next_descendant_post
ci-upstream-kasan-gce-386 2022/07/18 10:13 upstream ff6992735ade 95cb00d1 .config log report info KASAN: use-after-free Read in kernfs_next_descendant_post
ci-upstream-kasan-gce-386 2022/04/26 14:57 upstream d615b5416f8a 1fa34c1b .config log report info KASAN: use-after-free Read in kernfs_next_descendant_post
ci-qemu-upstream-386 2022/04/21 05:03 upstream b253435746d9 d4befee1 .config log report info KASAN: use-after-free Read in kernfs_next_descendant_post
ci-qemu-upstream-386 2022/03/16 00:57 upstream 56e337f2cf13 9e8eaa75 .config log report info KASAN: use-after-free Read in kernfs_next_descendant_post
ci-qemu-upstream-386 2022/02/27 04:24 upstream 2293be58d6a1 45a13a73 .config log report info KASAN: use-after-free Read in kernfs_next_descendant_post
ci-qemu-upstream-386 2021/12/27 12:42 upstream fc74e0a40e4f e4f103c4 .config log report info KASAN: use-after-free Read in kernfs_next_descendant_post
ci-upstream-linux-next-kasan-gce-root 2022/09/26 13:49 linux-next aaa11ce2ffc8 d59ba983 .config log report info KASAN: use-after-free Read in kernfs_next_descendant_post
ci-upstream-linux-next-kasan-gce-root 2022/09/24 21:33 linux-next aaa11ce2ffc8 0042f2b4 .config log report info KASAN: use-after-free Read in kernfs_next_descendant_post
ci-upstream-linux-next-kasan-gce-root 2022/07/02 05:46 linux-next cb71b93c2dc3 1434eec0 .config log report info KASAN: use-after-free Read in kernfs_next_descendant_post
ci-upstream-linux-next-kasan-gce-root 2022/07/02 05:44 linux-next cb71b93c2dc3 1434eec0 .config log report info KASAN: use-after-free Read in kernfs_next_descendant_post
ci-upstream-linux-next-kasan-gce-root 2022/03/22 08:50 linux-next f9006d9269ea e2d91b1d .config log report info KASAN: use-after-free Read in kernfs_next_descendant_post
ci-upstream-linux-next-kasan-gce-root 2022/03/14 11:48 linux-next 91265a6da44d 9e8eaa75 .config log report info KASAN: use-after-free Read in kernfs_next_descendant_post
ci-upstream-linux-next-kasan-gce-root 2021/12/27 12:48 linux-next ea586a076e8a e4f103c4 .config log report info KASAN: use-after-free Read in kernfs_next_descendant_post
ci-upstream-linux-next-kasan-gce-root 2021/10/20 07:33 linux-next 60e8840126bd 466b7db1 .config log report info KASAN: use-after-free Read in kernfs_next_descendant_post
ci-upstream-linux-next-kasan-gce-root 2021/10/15 18:33 linux-next 7c832d2f9b95 0c5d9412 .config log report info KASAN: use-after-free Read in kernfs_next_descendant_post
ci-upstream-linux-next-kasan-gce-root 2021/09/30 11:42 linux-next c7b4d0e56a1d be530f6c .config log report info KASAN: use-after-free Read in kernfs_next_descendant_post
* Struck through repros no longer work on HEAD.