syzbot


KASAN: use-after-free Read in kernfs_next_descendant_post (2)

Status: upstream: reported C repro on 2021/10/04 12:57
Reported-by: syzbot+6bc35f3913193fe7f0d3@syzkaller.appspotmail.com
First crash: 490d, last: 5h44m

Cause bisection: the issue happens on the oldest tested release (bisect log)
Crash: WARNING in firmware_fallback_sysfs (log)
Repro: C syz .config
duplicates (1):
Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
KASAN: use-after-free Read in kernfs_activate (2) 3 63d 80d 0/24 closed as dup on 2022/11/15 06:12
similar bugs (1):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: use-after-free Read in kernfs_next_descendant_post 1 646d 642d 0/24 auto-closed as invalid on 2021/08/25 09:05
Last patch testing requests:
Created Duration User Patch Repo Result
2022/11/15 18:49 10m mcgrof@kernel.org git://git.kernel.org/pub/scm/linux/kernel/git/mcgrof/linux.git 20221115-firmware_loader-fixes error
2022/10/21 22:52 18m hdanton@sina.com patch https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git aae703b02f92 OK log
2022/10/21 13:35 18m hdanton@sina.com patch https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git aae703b02f92 OK log
2022/10/21 09:26 12m hdanton@sina.com patch https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git aae703b02f92 report log
2022/10/21 07:13 12m hdanton@sina.com patch https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git aae703b02f92 report log
2022/10/21 03:24 17m hdanton@sina.com patch https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git aae703b02f92 error
2022/10/20 10:50 11m hdanton@sina.com patch https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 55be6084c8e0 report log

Sample crash report:
usb 1-1: Direct firmware load for ueagle-atm/eagleI.fw failed with error -2
usb 1-1: Falling back to sysfs fallback for: ueagle-atm/eagleI.fw
==================================================================
BUG: KASAN: use-after-free in kernfs_type include/linux/kernfs.h:337 [inline]
BUG: KASAN: use-after-free in kernfs_leftmost_descendant fs/kernfs/dir.c:1262 [inline]
BUG: KASAN: use-after-free in kernfs_next_descendant_post+0x22a/0x2f0 fs/kernfs/dir.c:1293
Read of size 2 at addr ffff88814591c180 by task kworker/0:2/140

CPU: 0 PID: 140 Comm: kworker/0:2 Not tainted 6.0.0-syzkaller-09589-g55be6084c8e0 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022
Workqueue: events request_firmware_work_func
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:317 [inline]
 print_report.cold+0x2ba/0x719 mm/kasan/report.c:433
 kasan_report+0xb1/0x1e0 mm/kasan/report.c:495
 kernfs_type include/linux/kernfs.h:337 [inline]
 kernfs_leftmost_descendant fs/kernfs/dir.c:1262 [inline]
 kernfs_next_descendant_post+0x22a/0x2f0 fs/kernfs/dir.c:1293
 kernfs_activate fs/kernfs/dir.c:1344 [inline]
 kernfs_add_one+0x38d/0x4e0 fs/kernfs/dir.c:776
 kernfs_create_dir_ns+0x18b/0x220 fs/kernfs/dir.c:1021
 sysfs_create_dir_ns+0x127/0x290 fs/sysfs/dir.c:59
 create_dir lib/kobject.c:63 [inline]
 kobject_add_internal+0x2c9/0x8f0 lib/kobject.c:223
 kobject_add_varg lib/kobject.c:358 [inline]
 kobject_add+0x150/0x1c0 lib/kobject.c:410
 class_dir_create_and_add drivers/base/core.c:3054 [inline]
 get_device_parent+0x3d7/0x590 drivers/base/core.c:3109
 device_add+0x2aa/0x1e90 drivers/base/core.c:3438
 fw_load_sysfs_fallback drivers/base/firmware_loader/fallback.c:82 [inline]
 fw_load_from_user_helper drivers/base/firmware_loader/fallback.c:158 [inline]
 firmware_fallback_sysfs+0x2d5/0xba0 drivers/base/firmware_loader/fallback.c:234
 _request_firmware+0xbca/0x1190 drivers/base/firmware_loader/main.c:856
 request_firmware_work_func+0xdd/0x230 drivers/base/firmware_loader/main.c:1105
 process_one_work+0x991/0x1610 kernel/workqueue.c:2289
 worker_thread+0x665/0x1080 kernel/workqueue.c:2436
 kthread+0x2e4/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306
 </TASK>

Allocated by task 140:
 kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
 kasan_set_track mm/kasan/common.c:45 [inline]
 set_alloc_info mm/kasan/common.c:437 [inline]
 __kasan_slab_alloc+0x90/0xc0 mm/kasan/common.c:470
 kasan_slab_alloc include/linux/kasan.h:224 [inline]
 slab_post_alloc_hook mm/slab.h:727 [inline]
 slab_alloc_node mm/slub.c:3248 [inline]
 slab_alloc mm/slub.c:3256 [inline]
 __kmem_cache_alloc_lru mm/slub.c:3263 [inline]
 kmem_cache_alloc+0x267/0x3b0 mm/slub.c:3273
 kmem_cache_zalloc include/linux/slab.h:723 [inline]
 __kernfs_new_node+0xd4/0x8b0 fs/kernfs/dir.c:603
 kernfs_new_node fs/kernfs/dir.c:665 [inline]
 kernfs_create_dir_ns+0x9c/0x220 fs/kernfs/dir.c:1011
 sysfs_create_dir_ns+0x127/0x290 fs/sysfs/dir.c:59
 create_dir lib/kobject.c:63 [inline]
 kobject_add_internal+0x2c9/0x8f0 lib/kobject.c:223
 kobject_add_varg lib/kobject.c:358 [inline]
 kobject_add+0x150/0x1c0 lib/kobject.c:410
 class_dir_create_and_add drivers/base/core.c:3054 [inline]
 get_device_parent+0x3d7/0x590 drivers/base/core.c:3109
 device_add+0x2aa/0x1e90 drivers/base/core.c:3438
 fw_load_sysfs_fallback drivers/base/firmware_loader/fallback.c:82 [inline]
 fw_load_from_user_helper drivers/base/firmware_loader/fallback.c:158 [inline]
 firmware_fallback_sysfs+0x2d5/0xba0 drivers/base/firmware_loader/fallback.c:234
 _request_firmware+0xbca/0x1190 drivers/base/firmware_loader/main.c:856
 request_firmware_work_func+0xdd/0x230 drivers/base/firmware_loader/main.c:1105
 process_one_work+0x991/0x1610 kernel/workqueue.c:2289
 worker_thread+0x665/0x1080 kernel/workqueue.c:2436
 kthread+0x2e4/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306

Freed by task 2933:
 kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
 kasan_set_track+0x21/0x30 mm/kasan/common.c:45
 kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:370
 ____kasan_slab_free mm/kasan/common.c:367 [inline]
 ____kasan_slab_free+0x166/0x1c0 mm/kasan/common.c:329
 kasan_slab_free include/linux/kasan.h:200 [inline]
 slab_free_hook mm/slub.c:1759 [inline]
 slab_free_freelist_hook+0x8b/0x1c0 mm/slub.c:1785
 slab_free mm/slub.c:3539 [inline]
 kmem_cache_free+0xeb/0x5b0 mm/slub.c:3556
 kernfs_put.part.0+0x2c4/0x540 fs/kernfs/dir.c:557
 kernfs_put+0x42/0x50 fs/kernfs/dir.c:531
 __kernfs_remove+0x463/0x600 fs/kernfs/dir.c:1443
 kernfs_remove+0x77/0xa0 fs/kernfs/dir.c:1463
 sysfs_remove_dir+0xc1/0x100 fs/sysfs/dir.c:101
 __kobject_del+0xe2/0x1f0 lib/kobject.c:588
 kobject_del lib/kobject.c:611 [inline]
 kobject_del+0x3c/0x60 lib/kobject.c:603
 device_del+0x81c/0xc80 drivers/base/core.c:3715
 usb_disconnect.cold+0x49b/0x6ed drivers/usb/core/hub.c:2261
 hub_port_connect drivers/usb/core/hub.c:5197 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5497 [inline]
 port_event drivers/usb/core/hub.c:5653 [inline]
 hub_event+0x1f86/0x45e0 drivers/usb/core/hub.c:5735
 process_one_work+0x991/0x1610 kernel/workqueue.c:2289
 process_scheduled_works kernel/workqueue.c:2352 [inline]
 worker_thread+0x854/0x1080 kernel/workqueue.c:2438
 kthread+0x2e4/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306

The buggy address belongs to the object at ffff88814591c0e8
 which belongs to the cache kernfs_node_cache of size 168
The buggy address is located 152 bytes inside of
 168-byte region [ffff88814591c0e8, ffff88814591c190)

The buggy address belongs to the physical page:
page:ffffea0005164700 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x14591c
flags: 0x57ff00000000200(slab|node=1|zone=2|lastcpupid=0x7ff)
raw: 057ff00000000200 0000000000000000 dead000000000001 ffff8880119dbb40
raw: 0000000000000000 0000000080110011 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 1, tgid 1 (swapper/0), ts 1564996231, free_ts 0
 prep_new_page mm/page_alloc.c:2532 [inline]
 get_page_from_freelist+0x109b/0x2ce0 mm/page_alloc.c:4283
 __alloc_pages+0x1c7/0x510 mm/page_alloc.c:5549
 alloc_page_interleave+0x1e/0x200 mm/mempolicy.c:2103
 alloc_pages+0x22f/0x270 mm/mempolicy.c:2265
 alloc_slab_page mm/slub.c:1829 [inline]
 allocate_slab+0x27e/0x3d0 mm/slub.c:1974
 new_slab mm/slub.c:2034 [inline]
 ___slab_alloc+0x84f/0xe80 mm/slub.c:3036
 __slab_alloc.constprop.0+0x4d/0xa0 mm/slub.c:3123
 slab_alloc_node mm/slub.c:3214 [inline]
 slab_alloc mm/slub.c:3256 [inline]
 __kmem_cache_alloc_lru mm/slub.c:3263 [inline]
 kmem_cache_alloc+0x38c/0x3b0 mm/slub.c:3273
 kmem_cache_zalloc include/linux/slab.h:723 [inline]
 __kernfs_new_node+0xd4/0x8b0 fs/kernfs/dir.c:603
 kernfs_new_node+0x93/0x120 fs/kernfs/dir.c:665
 __kernfs_create_file+0x51/0x350 fs/kernfs/file.c:1043
 sysfs_add_file_mode_ns+0x20f/0x3f0 fs/sysfs/file.c:294
 create_files fs/sysfs/group.c:64 [inline]
 internal_create_group+0x322/0xb10 fs/sysfs/group.c:148
 kernel_add_sysfs_param kernel/params.c:814 [inline]
 param_sysfs_builtin kernel/params.c:851 [inline]
 param_sysfs_init+0x342/0x43b kernel/params.c:970
 do_one_initcall+0xfe/0x650 init/main.c:1296
 do_initcall_level init/main.c:1369 [inline]
 do_initcalls init/main.c:1385 [inline]
 do_basic_setup init/main.c:1404 [inline]
 kernel_init_freeable+0x6b1/0x73a init/main.c:1623
page_owner free stack trace missing

Memory state around the buggy address:
 ffff88814591c080: fb fb fb fb fb fc fc fc fc fc fc fc fc fa fb fb
 ffff88814591c100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88814591c180: fb fb fc fc fc fc fc fc fc fc fa fb fb fb fb fb
                   ^
 ffff88814591c200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc
 ffff88814591c280: fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb fb
==================================================================

Fix bisection attempts:
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets Title
ci-upstream-kasan-gce-root 2023/02/02 08:11 upstream 9f266ccaa2f5 b31320fc .config console log report syz C
ci-upstream-kasan-gce-root 2022/11/21 01:51 upstream eb7081409f94 b31320fc .config console log report syz C
* Struck through repros no longer work on HEAD.
Crashes (39):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets Title
ci-upstream-kasan-gce-root 2022/10/20 07:14 upstream 55be6084c8e0 b31320fc .config strace log report syz C [disk image] [vmlinux] KASAN: use-after-free Read in kernfs_next_descendant_post
ci-upstream-kasan-gce-root 2022/12/02 07:54 upstream ef4d3ea40565 e080de16 .config console log report syz [disk image] [vmlinux] [kernel image] KASAN: use-after-free Read in kernfs_next_descendant_post
ci-upstream-kasan-gce 2022/10/10 01:14 upstream a6afa4199d3d aea5da89 .config console log report info [disk image] [vmlinux] KASAN: use-after-free Read in kernfs_next_descendant_post
ci-upstream-kasan-gce-selinux-root 2022/09/26 13:51 upstream f76349cf4145 d59ba983 .config console log report info KASAN: use-after-free Read in kernfs_next_descendant_post
ci-upstream-kasan-gce 2022/09/24 21:22 upstream a63f2e7cb110 0042f2b4 .config console log report info [disk image] [vmlinux] KASAN: use-after-free Read in kernfs_next_descendant_post
ci-upstream-kasan-gce-root 2022/08/07 21:27 upstream 200e340f2196 88e3a122 .config console log report info KASAN: use-after-free Read in kernfs_next_descendant_post
ci-qemu-upstream 2022/07/31 17:29 upstream 6a010258447d fef302b1 .config console log report info KASAN: use-after-free Read in kernfs_next_descendant_post
ci-upstream-kasan-gce-root 2022/06/26 02:15 upstream 8c23f235a6a8 a371c43c .config console log report info KASAN: use-after-free Read in kernfs_next_descendant_post
ci-qemu-upstream 2022/06/05 12:23 upstream d0e60d46bc03 c8857892 .config console log report info KASAN: use-after-free Read in kernfs_next_descendant_post
ci-qemu-upstream 2022/05/25 08:59 upstream 0350785b0a09 647c0e27 .config console log report info KASAN: use-after-free Read in kernfs_next_descendant_post
ci-qemu-upstream 2022/05/25 08:58 upstream 0350785b0a09 647c0e27 .config console log report info KASAN: use-after-free Read in kernfs_next_descendant_post
ci-qemu-upstream 2022/04/29 06:28 upstream 259b897e5a79 e9076525 .config console log report info KASAN: use-after-free Read in kernfs_next_descendant_post
ci-upstream-kasan-gce-root 2022/04/26 14:37 upstream d615b5416f8a 1fa34c1b .config console log report info KASAN: use-after-free Read in kernfs_next_descendant_post
ci-upstream-kasan-gce-root 2022/03/30 00:19 upstream 1930a6e739c4 6bdac766 .config console log report info KASAN: use-after-free Read in kernfs_next_descendant_post
ci-upstream-kasan-gce 2022/01/25 12:52 upstream a08b41ab9e2e 2cbffd88 .config console log report info KASAN: use-after-free Read in kernfs_next_descendant_post
ci-upstream-kasan-gce-root 2022/01/16 07:29 upstream a33f5c380c4b 723cfaf0 .config console log report info KASAN: use-after-free Read in kernfs_next_descendant_post
ci-upstream-kasan-gce-selinux-root 2021/12/27 12:40 upstream fc74e0a40e4f e4f103c4 .config console log report info KASAN: use-after-free Read in kernfs_next_descendant_post
ci-upstream-kasan-gce-root 2021/12/27 12:36 upstream fc74e0a40e4f e4f103c4 .config console log report info KASAN: use-after-free Read in kernfs_next_descendant_post
ci-upstream-kasan-gce 2021/09/30 11:34 upstream 02d5e016800d be530f6c .config console log report info KASAN: use-after-free Read in kernfs_next_descendant_post
ci-qemu-upstream-386 2022/12/31 16:21 upstream c8451c141e07 ab32d508 .config console log report info KASAN: use-after-free Read in kernfs_next_descendant_post
ci-qemu-upstream-386 2022/12/31 16:20 upstream c8451c141e07 ab32d508 .config console log report info KASAN: use-after-free Read in kernfs_next_descendant_post
ci-qemu-upstream-386 2022/11/29 06:32 upstream b7b275e60bcd ca9683b8 .config console log report info KASAN: use-after-free Read in kernfs_next_descendant_post
ci-upstream-kasan-gce-386 2022/10/21 19:26 upstream e35184f32151 4bfd3c27 .config console log report info [disk image] [vmlinux] KASAN: use-after-free Read in kernfs_next_descendant_post
ci-upstream-kasan-gce-386 2022/07/18 10:13 upstream ff6992735ade 95cb00d1 .config console log report info KASAN: use-after-free Read in kernfs_next_descendant_post
ci-upstream-kasan-gce-386 2022/04/26 14:57 upstream d615b5416f8a 1fa34c1b .config console log report info KASAN: use-after-free Read in kernfs_next_descendant_post
ci-qemu-upstream-386 2022/04/21 05:03 upstream b253435746d9 d4befee1 .config console log report info KASAN: use-after-free Read in kernfs_next_descendant_post
ci-qemu-upstream-386 2022/03/16 00:57 upstream 56e337f2cf13 9e8eaa75 .config console log report info KASAN: use-after-free Read in kernfs_next_descendant_post
ci-qemu-upstream-386 2022/02/27 04:24 upstream 2293be58d6a1 45a13a73 .config console log report info KASAN: use-after-free Read in kernfs_next_descendant_post
ci-qemu-upstream-386 2021/12/27 12:42 upstream fc74e0a40e4f e4f103c4 .config console log report info KASAN: use-after-free Read in kernfs_next_descendant_post
ci-upstream-linux-next-kasan-gce-root 2022/09/26 13:49 linux-next aaa11ce2ffc8 d59ba983 .config console log report info [disk image] [vmlinux] KASAN: use-after-free Read in kernfs_next_descendant_post
ci-upstream-linux-next-kasan-gce-root 2022/09/24 21:33 linux-next aaa11ce2ffc8 0042f2b4 .config console log report info KASAN: use-after-free Read in kernfs_next_descendant_post
ci-upstream-linux-next-kasan-gce-root 2022/07/02 05:46 linux-next cb71b93c2dc3 1434eec0 .config console log report info KASAN: use-after-free Read in kernfs_next_descendant_post
ci-upstream-linux-next-kasan-gce-root 2022/07/02 05:44 linux-next cb71b93c2dc3 1434eec0 .config console log report info KASAN: use-after-free Read in kernfs_next_descendant_post
ci-upstream-linux-next-kasan-gce-root 2022/03/22 08:50 linux-next f9006d9269ea e2d91b1d .config console log report info KASAN: use-after-free Read in kernfs_next_descendant_post
ci-upstream-linux-next-kasan-gce-root 2022/03/14 11:48 linux-next 91265a6da44d 9e8eaa75 .config console log report info KASAN: use-after-free Read in kernfs_next_descendant_post
ci-upstream-linux-next-kasan-gce-root 2021/12/27 12:48 linux-next ea586a076e8a e4f103c4 .config console log report info KASAN: use-after-free Read in kernfs_next_descendant_post
ci-upstream-linux-next-kasan-gce-root 2021/10/20 07:33 linux-next 60e8840126bd 466b7db1 .config console log report info KASAN: use-after-free Read in kernfs_next_descendant_post
ci-upstream-linux-next-kasan-gce-root 2021/10/15 18:33 linux-next 7c832d2f9b95 0c5d9412 .config console log report info KASAN: use-after-free Read in kernfs_next_descendant_post
ci-upstream-linux-next-kasan-gce-root 2021/09/30 11:42 linux-next c7b4d0e56a1d be530f6c .config console log report info KASAN: use-after-free Read in kernfs_next_descendant_post
* Struck through repros no longer work on HEAD.