syzbot


KASAN: use-after-free Read in kernfs_next_descendant_post (2)
Status: upstream: reported on 2021/10/04 12:57
Reported-by: syzbot+6bc35f3913193fe7f0d3@syzkaller.appspotmail.com
First crash: 239d, last: 3d00h
similar bugs (1):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: use-after-free Read in kernfs_next_descendant_post 1 396d 392d 0/22 auto-closed as invalid on 2021/08/25 09:05

Sample crash report:
usb 8-1: Falling back to sysfs fallback for: ueagle-atm/eagleI.fw
==================================================================
BUG: KASAN: use-after-free in kernfs_root fs/kernfs/kernfs-internal.h:66 [inline]
BUG: KASAN: use-after-free in kernfs_next_descendant_post+0x2cd/0x2f0 fs/kernfs/dir.c:1281
Read of size 8 at addr ffff8880724bc770 by task kworker/2:0/29

CPU: 2 PID: 29 Comm: kworker/2:0 Not tainted 5.18.0-syzkaller-01444-g0350785b0a09 #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014
Workqueue: events request_firmware_work_func
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
 print_address_description.constprop.0.cold+0xeb/0x467 mm/kasan/report.c:313
 print_report mm/kasan/report.c:429 [inline]
 kasan_report.cold+0xf4/0x1c6 mm/kasan/report.c:491
 kernfs_root fs/kernfs/kernfs-internal.h:66 [inline]
 kernfs_next_descendant_post+0x2cd/0x2f0 fs/kernfs/dir.c:1281
 kernfs_activate+0x97/0x240 fs/kernfs/dir.c:1321
 kernfs_add_one+0x3c6/0x550 fs/kernfs/dir.c:767
 kernfs_create_dir_ns+0x18b/0x220 fs/kernfs/dir.c:1013
 sysfs_create_dir_ns+0x127/0x290 fs/sysfs/dir.c:59
 create_dir lib/kobject.c:63 [inline]
 kobject_add_internal+0x2ce/0x900 lib/kobject.c:223
 kobject_add_varg lib/kobject.c:358 [inline]
 kobject_add+0x150/0x1c0 lib/kobject.c:410
 class_dir_create_and_add drivers/base/core.c:2942 [inline]
 get_device_parent+0x3d7/0x590 drivers/base/core.c:2997
 device_add+0x2a8/0x1e20 drivers/base/core.c:3326
 fw_load_sysfs_fallback drivers/base/firmware_loader/fallback.c:512 [inline]
 fw_load_from_user_helper drivers/base/firmware_loader/fallback.c:588 [inline]
 firmware_fallback_sysfs+0x402/0xe70 drivers/base/firmware_loader/fallback.c:664
 _request_firmware+0xc2c/0x1020 drivers/base/firmware_loader/main.c:788
 request_firmware_work_func+0xdd/0x230 drivers/base/firmware_loader/main.c:1037
 process_one_work+0x996/0x1610 kernel/workqueue.c:2289
 worker_thread+0x665/0x1080 kernel/workqueue.c:2436
 kthread+0x2e9/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302
 </TASK>

Allocated by task 29:
 kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
 kasan_set_track mm/kasan/common.c:45 [inline]
 set_alloc_info mm/kasan/common.c:436 [inline]
 __kasan_slab_alloc+0x85/0xb0 mm/kasan/common.c:469
 kasan_slab_alloc include/linux/kasan.h:224 [inline]
 slab_post_alloc_hook mm/slab.h:749 [inline]
 slab_alloc mm/slab.c:3316 [inline]
 __kmem_cache_alloc_lru mm/slab.c:3493 [inline]
 kmem_cache_alloc+0x265/0x560 mm/slab.c:3513
 kmem_cache_zalloc include/linux/slab.h:704 [inline]
 __kernfs_new_node+0xd4/0x8b0 fs/kernfs/dir.c:585
 kernfs_new_node fs/kernfs/dir.c:647 [inline]
 kernfs_create_dir_ns+0x9c/0x220 fs/kernfs/dir.c:1003
 sysfs_create_dir_ns+0x127/0x290 fs/sysfs/dir.c:59
 create_dir lib/kobject.c:63 [inline]
 kobject_add_internal+0x2ce/0x900 lib/kobject.c:223
 kobject_add_varg lib/kobject.c:358 [inline]
 kobject_add+0x150/0x1c0 lib/kobject.c:410
 class_dir_create_and_add drivers/base/core.c:2942 [inline]
 get_device_parent+0x3d7/0x590 drivers/base/core.c:2997
 device_add+0x2a8/0x1e20 drivers/base/core.c:3326
 fw_load_sysfs_fallback drivers/base/firmware_loader/fallback.c:512 [inline]
 fw_load_from_user_helper drivers/base/firmware_loader/fallback.c:588 [inline]
 firmware_fallback_sysfs+0x402/0xe70 drivers/base/firmware_loader/fallback.c:664
 _request_firmware+0xc2c/0x1020 drivers/base/firmware_loader/main.c:788
 request_firmware_work_func+0xdd/0x230 drivers/base/firmware_loader/main.c:1037
 process_one_work+0x996/0x1610 kernel/workqueue.c:2289
 worker_thread+0x665/0x1080 kernel/workqueue.c:2436
 kthread+0x2e9/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302

Freed by task 3747:
 kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
 kasan_set_track+0x21/0x30 mm/kasan/common.c:45
 kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:370
 ____kasan_slab_free mm/kasan/common.c:366 [inline]
 ____kasan_slab_free+0x13d/0x180 mm/kasan/common.c:328
 kasan_slab_free include/linux/kasan.h:200 [inline]
 __cache_free mm/slab.c:3439 [inline]
 kmem_cache_free.part.0+0xa9/0x240 mm/slab.c:3749
 kernfs_put.part.0+0x2c4/0x540 fs/kernfs/dir.c:539
 kernfs_put+0x42/0x50 fs/kernfs/dir.c:513
 __kernfs_remove+0x7a3/0xb20 fs/kernfs/dir.c:1397
 kernfs_remove+0x77/0xa0 fs/kernfs/dir.c:1417
 sysfs_remove_dir+0xc1/0x100 fs/sysfs/dir.c:101
 __kobject_del+0xe2/0x200 lib/kobject.c:588
 kobject_del lib/kobject.c:611 [inline]
 kobject_del+0x3c/0x60 lib/kobject.c:603
 device_del+0x81c/0xc80 drivers/base/core.c:3603
 usb_disconnect.cold+0x4ba/0x6ec drivers/usb/core/hub.c:2254
 hub_port_connect drivers/usb/core/hub.c:5207 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5507 [inline]
 port_event drivers/usb/core/hub.c:5665 [inline]
 hub_event+0x1e74/0x4680 drivers/usb/core/hub.c:5747
 process_one_work+0x996/0x1610 kernel/workqueue.c:2289
 process_scheduled_works kernel/workqueue.c:2352 [inline]
 worker_thread+0x854/0x1080 kernel/workqueue.c:2438
 kthread+0x2e9/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302

The buggy address belongs to the object at ffff8880724bc740
 which belongs to the cache kernfs_node_cache of size 168
The buggy address is located 48 bytes inside of
 168-byte region [ffff8880724bc740, ffff8880724bc7e8)

The buggy address belongs to the physical page:
page:ffffea0001c92f00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x724bc
flags: 0x4fff00000000200(slab|node=1|zone=1|lastcpupid=0x7ff)
raw: 04fff00000000200 ffffea0001c71cc8 ffffea0001c92e88 ffff888011614000
raw: 0000000000000000 ffff8880724bc000 0000000100000011 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x40cc0(GFP_KERNEL|__GFP_COMP), pid 3712, tgid 3712 (syz-executor.2), ts 271775826098, free_ts 0
 prep_new_page mm/page_alloc.c:2441 [inline]
 get_page_from_freelist+0xba2/0x3e00 mm/page_alloc.c:4182
 __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5408
 __alloc_pages_node include/linux/gfp.h:587 [inline]
 kmem_getpages mm/slab.c:1378 [inline]
 cache_grow_begin+0x75/0x350 mm/slab.c:2584
 fallback_alloc+0x1e4/0x2e0 mm/slab.c:3132
 __do_cache_alloc mm/slab.c:3274 [inline]
 slab_alloc mm/slab.c:3309 [inline]
 __kmem_cache_alloc_lru mm/slab.c:3493 [inline]
 kmem_cache_alloc+0x367/0x560 mm/slab.c:3513
 kmem_cache_zalloc include/linux/slab.h:704 [inline]
 __kernfs_new_node+0xd4/0x8b0 fs/kernfs/dir.c:585
 kernfs_new_node+0x93/0x120 fs/kernfs/dir.c:647
 __kernfs_create_file+0x51/0x350 fs/kernfs/file.c:982
 sysfs_add_file_mode_ns+0x20f/0x3f0 fs/sysfs/file.c:294
 create_files fs/sysfs/group.c:64 [inline]
 internal_create_group+0x322/0xb10 fs/sysfs/group.c:148
 internal_create_groups.part.0+0x90/0x140 fs/sysfs/group.c:188
 internal_create_groups fs/sysfs/group.c:184 [inline]
 sysfs_create_groups+0x25/0x50 fs/sysfs/group.c:214
 create_dir lib/kobject.c:68 [inline]
 kobject_add_internal+0x31d/0x900 lib/kobject.c:223
 kobject_add_varg lib/kobject.c:358 [inline]
 kobject_init_and_add+0x101/0x160 lib/kobject.c:441
 rx_queue_add_kobject net/core/net-sysfs.c:1050 [inline]
 net_rx_queue_update_kobjects+0x25b/0x510 net/core/net-sysfs.c:1101
 register_queue_kobjects net/core/net-sysfs.c:1761 [inline]
 netdev_register_kobject+0x275/0x430 net/core/net-sysfs.c:2012
page_owner free stack trace missing

Memory state around the buggy address:
 ffff8880724bc600: fb fb fb fc fc fc fc fc fc fc fc fa fb fb fb fb
 ffff8880724bc680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8880724bc700: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
                                                             ^
 ffff8880724bc780: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc
 ffff8880724bc800: fc fc fc fc fc 00 00 00 00 00 00 00 00 00 00 00
==================================================================

Crashes (21):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-qemu-upstream 2022/05/25 08:59 upstream 0350785b0a09 647c0e27 .config log report info KASAN: use-after-free Read in kernfs_next_descendant_post
ci-qemu-upstream 2022/05/25 08:58 upstream 0350785b0a09 647c0e27 .config log report info KASAN: use-after-free Read in kernfs_next_descendant_post
ci-qemu-upstream 2022/04/29 06:28 upstream 259b897e5a79 e9076525 .config log report info KASAN: use-after-free Read in kernfs_next_descendant_post
ci-upstream-kasan-gce-root 2022/04/26 14:37 upstream d615b5416f8a 1fa34c1b .config log report info KASAN: use-after-free Read in kernfs_next_descendant_post
ci-upstream-kasan-gce-root 2022/03/30 00:19 upstream 1930a6e739c4 6bdac766 .config log report info KASAN: use-after-free Read in kernfs_next_descendant_post
ci-upstream-kasan-gce 2022/01/25 12:52 upstream a08b41ab9e2e 2cbffd88 .config log report info KASAN: use-after-free Read in kernfs_next_descendant_post
ci-upstream-kasan-gce-root 2022/01/16 07:29 upstream a33f5c380c4b 723cfaf0 .config log report info KASAN: use-after-free Read in kernfs_next_descendant_post
ci-upstream-kasan-gce-selinux-root 2021/12/27 12:40 upstream fc74e0a40e4f e4f103c4 .config log report info KASAN: use-after-free Read in kernfs_next_descendant_post
ci-upstream-kasan-gce-root 2021/12/27 12:36 upstream fc74e0a40e4f e4f103c4 .config log report info KASAN: use-after-free Read in kernfs_next_descendant_post
ci-upstream-kasan-gce 2021/09/30 11:34 upstream 02d5e016800d be530f6c .config log report info KASAN: use-after-free Read in kernfs_next_descendant_post
ci-upstream-kasan-gce-386 2022/04/26 14:57 upstream d615b5416f8a 1fa34c1b .config log report info KASAN: use-after-free Read in kernfs_next_descendant_post
ci-qemu-upstream-386 2022/04/21 05:03 upstream b253435746d9 d4befee1 .config log report info KASAN: use-after-free Read in kernfs_next_descendant_post
ci-qemu-upstream-386 2022/03/16 00:57 upstream 56e337f2cf13 9e8eaa75 .config log report info KASAN: use-after-free Read in kernfs_next_descendant_post
ci-qemu-upstream-386 2022/02/27 04:24 upstream 2293be58d6a1 45a13a73 .config log report info KASAN: use-after-free Read in kernfs_next_descendant_post
ci-qemu-upstream-386 2021/12/27 12:42 upstream fc74e0a40e4f e4f103c4 .config log report info KASAN: use-after-free Read in kernfs_next_descendant_post
ci-upstream-linux-next-kasan-gce-root 2022/03/22 08:50 linux-next f9006d9269ea e2d91b1d .config log report info KASAN: use-after-free Read in kernfs_next_descendant_post
ci-upstream-linux-next-kasan-gce-root 2022/03/14 11:48 linux-next 91265a6da44d 9e8eaa75 .config log report info KASAN: use-after-free Read in kernfs_next_descendant_post
ci-upstream-linux-next-kasan-gce-root 2021/12/27 12:48 linux-next ea586a076e8a e4f103c4 .config log report info KASAN: use-after-free Read in kernfs_next_descendant_post
ci-upstream-linux-next-kasan-gce-root 2021/10/20 07:33 linux-next 60e8840126bd 466b7db1 .config log report info KASAN: use-after-free Read in kernfs_next_descendant_post
ci-upstream-linux-next-kasan-gce-root 2021/10/15 18:33 linux-next 7c832d2f9b95 0c5d9412 .config log report info KASAN: use-after-free Read in kernfs_next_descendant_post
ci-upstream-linux-next-kasan-gce-root 2021/09/30 11:42 linux-next c7b4d0e56a1d be530f6c .config log report info KASAN: use-after-free Read in kernfs_next_descendant_post