bisecting fixing commit since d5ad8ec3cfb56a017de6a784835666475b4be349 building syzkaller on 6c236867ce33c0c16b102e02a08226d7eb9b2046 testing commit d5ad8ec3cfb56a017de6a784835666475b4be349 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: e30c785bb1a06bf9ef53e9ad250ae3f1102f55a8f7ed274832642fe974e4ee1b run #0: crashed: KASAN: use-after-free Write in alloc_ucounts run #1: crashed: KASAN: use-after-free Write in alloc_ucounts run #2: crashed: KASAN: use-after-free Write in alloc_ucounts run #3: crashed: KASAN: use-after-free Write in alloc_ucounts run #4: crashed: KASAN: use-after-free Write in alloc_ucounts run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK run #10: OK run #11: crashed: KASAN: use-after-free Write in alloc_ucounts run #12: OK run #13: OK run #14: OK run #15: OK run #16: OK run #17: OK run #18: OK run #19: OK reproducer seems to be flaky testing current HEAD 4b93c544e90e2b28326182d31ee008eb80e02074 testing commit 4b93c544e90e2b28326182d31ee008eb80e02074 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: eeb7e8ea742370e576c7b63c71707ae3635a86bddbaea07b16e129f06e82b532 all runs: OK # git bisect start 4b93c544e90e2b28326182d31ee008eb80e02074 d5ad8ec3cfb56a017de6a784835666475b4be349 Bisecting: 5191 revisions left to test after this (roughly 12 steps) [ebf435d3b51b22340ef047aad0c2936ec4833ab2] Merge tag 'staging-5.15-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging testing commit ebf435d3b51b22340ef047aad0c2936ec4833ab2 arch/x86/kernel/setup.c:916:6: error: implicit declaration of function 'acpi_mps_check' [-Werror=implicit-function-declaration] arch/x86/kernel/setup.c:1110:2: error: implicit declaration of function 'acpi_table_upgrade' [-Werror=implicit-function-declaration] arch/x86/kernel/setup.c:1112:2: error: implicit declaration of function 'acpi_boot_table_init' [-Werror=implicit-function-declaration] arch/x86/kernel/setup.c:1120:2: error: implicit declaration of function 'early_acpi_boot_init'; did you mean 'early_cpu_init'? [-Werror=implicit-function-declaration] arch/x86/kernel/setup.c:1162:2: error: implicit declaration of function 'acpi_boot_init' [-Werror=implicit-function-declaration] # git bisect skip ebf435d3b51b22340ef047aad0c2936ec4833ab2 Bisecting: 5191 revisions left to test after this (roughly 12 steps) [359f3d743f3a762cc2cc7ddb7c6fb4c57b9a06cc] Merge tag 'mmc-v5.15' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc testing commit 359f3d743f3a762cc2cc7ddb7c6fb4c57b9a06cc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 4234f277c17ae1611a1b4cebccbb644c4297db59f237dbd02f5186dd41068d29 all runs: OK # git bisect bad 359f3d743f3a762cc2cc7ddb7c6fb4c57b9a06cc Bisecting: 1339 revisions left to test after this (roughly 10 steps) [44a7d4441181d0f2d622dc9bb512d7f5ca13f768] Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 testing commit 44a7d4441181d0f2d622dc9bb512d7f5ca13f768 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: b2d82a553fd3abe1715495fe98589e5f521532909a18f6cc5df4e361f640f504 all runs: OK # git bisect bad 44a7d4441181d0f2d622dc9bb512d7f5ca13f768 Bisecting: 677 revisions left to test after this (roughly 9 steps) [e649e4c806b4ee41120bc51ee6698e87b3edc1fc] Merge tag 'platform-drivers-x86-v5.14-4' of git://git.kernel.org/pub/scm/linux/kernel/git/pdx86/platform-drivers-x86 testing commit e649e4c806b4ee41120bc51ee6698e87b3edc1fc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 4e7d3443b6f0c0294f07e6529b200488ba43adb69a60f4180d422001b30de918 all runs: OK # git bisect bad e649e4c806b4ee41120bc51ee6698e87b3edc1fc Bisecting: 343 revisions left to test after this (roughly 8 steps) [1746f4db513563bb22e0ba0c419d0c90912dfae1] Merge tag 'orphans-v5.14-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux testing commit 1746f4db513563bb22e0ba0c419d0c90912dfae1 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 5169b49b1d0630f5316a45a6abab830c43be97e4f3ca9b38a69aeba6db51b845 all runs: OK # git bisect bad 1746f4db513563bb22e0ba0c419d0c90912dfae1 Bisecting: 166 revisions left to test after this (roughly 7 steps) [73f25536f27182ae3dcf4c0b91b1280cbbac7be3] Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux testing commit 73f25536f27182ae3dcf4c0b91b1280cbbac7be3 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: ec2db5824f52ce3aa8ea26a611ef099c6a01f286bcdd9123d6243d42f75b098c all runs: OK # git bisect bad 73f25536f27182ae3dcf4c0b91b1280cbbac7be3 Bisecting: 70 revisions left to test after this (roughly 6 steps) [902e7f373fff2476b53824264c12e4e76c7ec02a] Merge tag 'net-5.14-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net testing commit 902e7f373fff2476b53824264c12e4e76c7ec02a compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 984b85ca076fd2eeeda85974bdd83fdb50caf3d7c4f3e27de4f160cce94579ac all runs: OK # git bisect bad 902e7f373fff2476b53824264c12e4e76c7ec02a Bisecting: 47 revisions left to test after this (roughly 6 steps) [afa00d3f5800a83228311636fc69fd28fb7af205] Merge branch 'eean-iosm-fixes' testing commit afa00d3f5800a83228311636fc69fd28fb7af205 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 46ada953f92a19d6138ba79efc32039c22d976c895780e393895fa9b91fc9df3 run #0: crashed: KASAN: use-after-free Write in alloc_ucounts run #1: crashed: KASAN: use-after-free Write in alloc_ucounts run #2: crashed: KASAN: use-after-free Write in alloc_ucounts run #3: crashed: KASAN: use-after-free Write in alloc_ucounts run #4: crashed: KASAN: use-after-free Write in alloc_ucounts run #5: crashed: KASAN: use-after-free Write in alloc_ucounts run #6: crashed: KASAN: use-after-free Write in alloc_ucounts run #7: OK run #8: OK run #9: OK run #10: OK run #11: OK run #12: OK run #13: OK run #14: OK run #15: OK run #16: OK run #17: OK run #18: OK run #19: OK # git bisect good afa00d3f5800a83228311636fc69fd28fb7af205 Bisecting: 22 revisions left to test after this (roughly 5 steps) [97fcc07be81d4f49e1763483144ca7ff79fe0ad5] Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm testing commit 97fcc07be81d4f49e1763483144ca7ff79fe0ad5 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 421574361c01605589ffa6747dd8e99448b3cdee069cf41925e202f49ceba0e3 run #0: crashed: BUG: sleeping function called from invalid context in lock_sock_nested run #1: crashed: KASAN: use-after-free Write in alloc_ucounts run #2: OK run #3: OK run #4: OK run #5: crashed: KASAN: use-after-free Write in alloc_ucounts run #6: OK run #7: OK run #8: OK run #9: OK run #10: OK run #11: OK run #12: OK run #13: OK run #14: OK run #15: OK run #16: crashed: KASAN: use-after-free Write in alloc_ucounts run #17: OK run #18: OK run #19: OK # git bisect good 97fcc07be81d4f49e1763483144ca7ff79fe0ad5 Bisecting: 11 revisions left to test after this (roughly 4 steps) [3c3e9027071c979cfa7e48d9c2a39a4d56829236] Merge tag 'trace-v5.14-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace testing commit 3c3e9027071c979cfa7e48d9c2a39a4d56829236 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 95c5a0cbf3acae22b058bfb9beb86dabdb2ed000e999d23631eee4df398d4e91 run #0: crashed: KASAN: use-after-free Write in alloc_ucounts run #1: crashed: KASAN: use-after-free Write in alloc_ucounts run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK run #10: OK run #11: OK run #12: OK run #13: OK run #14: OK run #15: OK run #16: OK run #17: OK run #18: OK run #19: crashed: KASAN: use-after-free Write in alloc_ucounts # git bisect good 3c3e9027071c979cfa7e48d9c2a39a4d56829236 Bisecting: 5 revisions left to test after this (roughly 3 steps) [6bb5318ce501cb744e58105ba56cd5308e75004d] Merge branch 'net-fix-use-after-free-bugs' testing commit 6bb5318ce501cb744e58105ba56cd5308e75004d compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 9b64fe3a2e09635bef01199540032b2cfc54326376335b6ab888ba0189133c5c run #0: crashed: KASAN: use-after-free Write in alloc_ucounts run #1: crashed: KASAN: use-after-free Write in alloc_ucounts run #2: crashed: KASAN: use-after-free Write in alloc_ucounts run #3: crashed: KASAN: use-after-free Write in alloc_ucounts run #4: crashed: KASAN: use-after-free Write in alloc_ucounts run #5: crashed: KASAN: use-after-free Write in alloc_ucounts run #6: crashed: KASAN: use-after-free Write in alloc_ucounts run #7: OK run #8: OK run #9: OK run #10: OK run #11: OK run #12: OK run #13: OK run #14: OK run #15: OK run #16: OK run #17: OK run #18: OK run #19: OK # git bisect good 6bb5318ce501cb744e58105ba56cd5308e75004d Bisecting: 1 revision left to test after this (roughly 2 steps) [0b53abfc5f66449d42fb1738c1c191e29e3be2e4] Merge tag 'selinux-pr-20210805' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux testing commit 0b53abfc5f66449d42fb1738c1c191e29e3be2e4 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: db72c5bf19f2b40ff975b61b0ab0778f8f0e9cd43c4fa8bf6fa154625d9efb98 all runs: OK # git bisect bad 0b53abfc5f66449d42fb1738c1c191e29e3be2e4 Bisecting: 1 revision left to test after this (roughly 1 step) [6209049ecfc1894453d1fc850e60c58d4eccaf2a] Merge branch 'for-v5.14' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace testing commit 6209049ecfc1894453d1fc850e60c58d4eccaf2a compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: db72c5bf19f2b40ff975b61b0ab0778f8f0e9cd43c4fa8bf6fa154625d9efb98 all runs: OK # git bisect bad 6209049ecfc1894453d1fc850e60c58d4eccaf2a Bisecting: 0 revisions left to test after this (roughly 0 steps) [345daff2e994ee844d6a609c37f085695fbb4c4d] ucounts: Fix race condition between alloc_ucounts and put_ucounts testing commit 345daff2e994ee844d6a609c37f085695fbb4c4d compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 82fd8e73480d255b38537656c87cbbed4aef12acce22e2426c06400f9bce7b33 all runs: OK # git bisect bad 345daff2e994ee844d6a609c37f085695fbb4c4d 345daff2e994ee844d6a609c37f085695fbb4c4d is the first bad commit commit 345daff2e994ee844d6a609c37f085695fbb4c4d Author: Alexey Gladkov Date: Tue Jul 27 17:24:18 2021 +0200 ucounts: Fix race condition between alloc_ucounts and put_ucounts The race happens because put_ucounts() doesn't use spinlock and get_ucounts is not under spinlock: CPU0 CPU1 ---- ---- alloc_ucounts() put_ucounts() spin_lock_irq(&ucounts_lock); ucounts = find_ucounts(ns, uid, hashent); atomic_dec_and_test(&ucounts->count)) spin_unlock_irq(&ucounts_lock); spin_lock_irqsave(&ucounts_lock, flags); hlist_del_init(&ucounts->node); spin_unlock_irqrestore(&ucounts_lock, flags); kfree(ucounts); ucounts = get_ucounts(ucounts); ================================================================== BUG: KASAN: use-after-free in instrument_atomic_read_write include/linux/instrumented.h:101 [inline] BUG: KASAN: use-after-free in atomic_add_negative include/asm-generic/atomic-instrumented.h:556 [inline] BUG: KASAN: use-after-free in get_ucounts kernel/ucount.c:152 [inline] BUG: KASAN: use-after-free in get_ucounts kernel/ucount.c:150 [inline] BUG: KASAN: use-after-free in alloc_ucounts+0x19b/0x5b0 kernel/ucount.c:188 Write of size 4 at addr ffff88802821e41c by task syz-executor.4/16785 CPU: 1 PID: 16785 Comm: syz-executor.4 Not tainted 5.14.0-rc1-next-20210712-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:105 print_address_description.constprop.0.cold+0x6c/0x309 mm/kasan/report.c:233 __kasan_report mm/kasan/report.c:419 [inline] kasan_report.cold+0x83/0xdf mm/kasan/report.c:436 check_region_inline mm/kasan/generic.c:183 [inline] kasan_check_range+0x13d/0x180 mm/kasan/generic.c:189 instrument_atomic_read_write include/linux/instrumented.h:101 [inline] atomic_add_negative include/asm-generic/atomic-instrumented.h:556 [inline] get_ucounts kernel/ucount.c:152 [inline] get_ucounts kernel/ucount.c:150 [inline] alloc_ucounts+0x19b/0x5b0 kernel/ucount.c:188 set_cred_ucounts+0x171/0x3a0 kernel/cred.c:684 __sys_setuid+0x285/0x400 kernel/sys.c:623 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x4665d9 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fde54097188 EFLAGS: 00000246 ORIG_RAX: 0000000000000069 RAX: ffffffffffffffda RBX: 000000000056bf80 RCX: 00000000004665d9 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000000000ff RBP: 00000000004bfcb9 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056bf80 R13: 00007ffc8655740f R14: 00007fde54097300 R15: 0000000000022000 Allocated by task 16784: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38 kasan_set_track mm/kasan/common.c:46 [inline] set_alloc_info mm/kasan/common.c:434 [inline] ____kasan_kmalloc mm/kasan/common.c:513 [inline] ____kasan_kmalloc mm/kasan/common.c:472 [inline] __kasan_kmalloc+0x9b/0xd0 mm/kasan/common.c:522 kmalloc include/linux/slab.h:591 [inline] kzalloc include/linux/slab.h:721 [inline] alloc_ucounts+0x23d/0x5b0 kernel/ucount.c:169 set_cred_ucounts+0x171/0x3a0 kernel/cred.c:684 __sys_setuid+0x285/0x400 kernel/sys.c:623 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae Freed by task 16785: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38 kasan_set_track+0x1c/0x30 mm/kasan/common.c:46 kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:360 ____kasan_slab_free mm/kasan/common.c:366 [inline] ____kasan_slab_free mm/kasan/common.c:328 [inline] __kasan_slab_free+0xfb/0x130 mm/kasan/common.c:374 kasan_slab_free include/linux/kasan.h:229 [inline] slab_free_hook mm/slub.c:1650 [inline] slab_free_freelist_hook+0xdf/0x240 mm/slub.c:1675 slab_free mm/slub.c:3235 [inline] kfree+0xeb/0x650 mm/slub.c:4295 put_ucounts kernel/ucount.c:200 [inline] put_ucounts+0x117/0x150 kernel/ucount.c:192 put_cred_rcu+0x27a/0x520 kernel/cred.c:124 rcu_do_batch kernel/rcu/tree.c:2550 [inline] rcu_core+0x7ab/0x1380 kernel/rcu/tree.c:2785 __do_softirq+0x29b/0x9c2 kernel/softirq.c:558 Last potentially related work creation: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38 kasan_record_aux_stack+0xe5/0x110 mm/kasan/generic.c:348 insert_work+0x48/0x370 kernel/workqueue.c:1332 __queue_work+0x5c1/0xed0 kernel/workqueue.c:1498 queue_work_on+0xee/0x110 kernel/workqueue.c:1525 queue_work include/linux/workqueue.h:507 [inline] call_usermodehelper_exec+0x1f0/0x4c0 kernel/umh.c:435 kobject_uevent_env+0xf8f/0x1650 lib/kobject_uevent.c:618 netdev_queue_add_kobject net/core/net-sysfs.c:1621 [inline] netdev_queue_update_kobjects+0x374/0x450 net/core/net-sysfs.c:1655 register_queue_kobjects net/core/net-sysfs.c:1716 [inline] netdev_register_kobject+0x35a/0x430 net/core/net-sysfs.c:1959 register_netdevice+0xd33/0x1500 net/core/dev.c:10331 nsim_init_netdevsim drivers/net/netdevsim/netdev.c:317 [inline] nsim_create+0x381/0x4d0 drivers/net/netdevsim/netdev.c:364 __nsim_dev_port_add+0x32e/0x830 drivers/net/netdevsim/dev.c:1295 nsim_dev_port_add_all+0x53/0x150 drivers/net/netdevsim/dev.c:1355 nsim_dev_probe+0xcb5/0x1190 drivers/net/netdevsim/dev.c:1496 call_driver_probe drivers/base/dd.c:517 [inline] really_probe+0x23c/0xcd0 drivers/base/dd.c:595 __driver_probe_device+0x338/0x4d0 drivers/base/dd.c:747 driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:777 __device_attach_driver+0x20b/0x2f0 drivers/base/dd.c:894 bus_for_each_drv+0x15f/0x1e0 drivers/base/bus.c:427 __device_attach+0x228/0x4a0 drivers/base/dd.c:965 bus_probe_device+0x1e4/0x290 drivers/base/bus.c:487 device_add+0xc2f/0x2180 drivers/base/core.c:3356 nsim_bus_dev_new drivers/net/netdevsim/bus.c:431 [inline] new_device_store+0x436/0x710 drivers/net/netdevsim/bus.c:298 bus_attr_store+0x72/0xa0 drivers/base/bus.c:122 sysfs_kf_write+0x110/0x160 fs/sysfs/file.c:139 kernfs_fop_write_iter+0x342/0x500 fs/kernfs/file.c:296 call_write_iter include/linux/fs.h:2152 [inline] new_sync_write+0x426/0x650 fs/read_write.c:518 vfs_write+0x75a/0xa40 fs/read_write.c:605 ksys_write+0x12d/0x250 fs/read_write.c:658 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae Second to last potentially related work creation: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38 kasan_record_aux_stack+0xe5/0x110 mm/kasan/generic.c:348 insert_work+0x48/0x370 kernel/workqueue.c:1332 __queue_work+0x5c1/0xed0 kernel/workqueue.c:1498 queue_work_on+0xee/0x110 kernel/workqueue.c:1525 queue_work include/linux/workqueue.h:507 [inline] call_usermodehelper_exec+0x1f0/0x4c0 kernel/umh.c:435 kobject_uevent_env+0xf8f/0x1650 lib/kobject_uevent.c:618 kobject_synth_uevent+0x701/0x850 lib/kobject_uevent.c:208 uevent_store+0x20/0x50 drivers/base/core.c:2371 dev_attr_store+0x50/0x80 drivers/base/core.c:2072 sysfs_kf_write+0x110/0x160 fs/sysfs/file.c:139 kernfs_fop_write_iter+0x342/0x500 fs/kernfs/file.c:296 call_write_iter include/linux/fs.h:2152 [inline] new_sync_write+0x426/0x650 fs/read_write.c:518 vfs_write+0x75a/0xa40 fs/read_write.c:605 ksys_write+0x12d/0x250 fs/read_write.c:658 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae The buggy address belongs to the object at ffff88802821e400 which belongs to the cache kmalloc-192 of size 192 The buggy address is located 28 bytes inside of 192-byte region [ffff88802821e400, ffff88802821e4c0) The buggy address belongs to the page: page:ffffea0000a08780 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2821e flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000200 dead000000000100 dead000000000122 ffff888010841a00 raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 1, ts 12874702440, free_ts 12637793385 prep_new_page mm/page_alloc.c:2433 [inline] get_page_from_freelist+0xa72/0x2f80 mm/page_alloc.c:4166 __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5374 alloc_page_interleave+0x1e/0x200 mm/mempolicy.c:2119 alloc_pages+0x238/0x2a0 mm/mempolicy.c:2242 alloc_slab_page mm/slub.c:1713 [inline] allocate_slab+0x32b/0x4c0 mm/slub.c:1853 new_slab mm/slub.c:1916 [inline] new_slab_objects mm/slub.c:2662 [inline] ___slab_alloc+0x4ba/0x820 mm/slub.c:2825 __slab_alloc.constprop.0+0xa7/0xf0 mm/slub.c:2865 slab_alloc_node mm/slub.c:2947 [inline] slab_alloc mm/slub.c:2989 [inline] __kmalloc+0x312/0x330 mm/slub.c:4133 kmalloc include/linux/slab.h:596 [inline] kzalloc include/linux/slab.h:721 [inline] __register_sysctl_table+0x112/0x1090 fs/proc/proc_sysctl.c:1318 rds_tcp_init_net+0x1db/0x4f0 net/rds/tcp.c:551 ops_init+0xaf/0x470 net/core/net_namespace.c:140 __register_pernet_operations net/core/net_namespace.c:1137 [inline] register_pernet_operations+0x35a/0x850 net/core/net_namespace.c:1214 register_pernet_device+0x26/0x70 net/core/net_namespace.c:1301 rds_tcp_init+0x77/0xe0 net/rds/tcp.c:717 do_one_initcall+0x103/0x650 init/main.c:1285 do_initcall_level init/main.c:1360 [inline] do_initcalls init/main.c:1376 [inline] do_basic_setup init/main.c:1396 [inline] kernel_init_freeable+0x6b8/0x741 init/main.c:1598 page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1343 [inline] free_pcp_prepare+0x312/0x7d0 mm/page_alloc.c:1394 free_unref_page_prepare mm/page_alloc.c:3329 [inline] free_unref_page+0x19/0x690 mm/page_alloc.c:3408 __vunmap+0x783/0xb70 mm/vmalloc.c:2587 free_work+0x58/0x70 mm/vmalloc.c:82 process_one_work+0x98d/0x1630 kernel/workqueue.c:2276 worker_thread+0x658/0x11f0 kernel/workqueue.c:2422 kthread+0x3e5/0x4d0 kernel/kthread.c:319 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 Memory state around the buggy address: ffff88802821e300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff88802821e380: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc >ffff88802821e400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88802821e480: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff88802821e500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ================================================================== - The race fix has two parts. * Changing the code to guarantee that ucounts->count is only decremented when ucounts_lock is held. This guarantees that find_ucounts will never find a structure with a zero reference count. * Changing alloc_ucounts to increment ucounts->count while ucounts_lock is held. This guarantees the reference count on the found data structure will not be decremented to zero (and the data structure freed) before the reference count is incremented. -- Eric Biederman Reported-by: syzbot+01985d7909f9468f013c@syzkaller.appspotmail.com Reported-by: syzbot+59dd63761094a80ad06d@syzkaller.appspotmail.com Reported-by: syzbot+6cd79f45bb8fa1c9eeae@syzkaller.appspotmail.com Reported-by: syzbot+b6e65bd125a05f803d6b@syzkaller.appspotmail.com Fixes: b6c336528926 ("Use atomic_t for ucounts reference counting") Cc: Hillf Danton Signed-off-by: Alexey Gladkov Link: https://lkml.kernel.org/r/7b2ace1759b281cdd2d66101d6b305deef722efb.1627397820.git.legion@kernel.org Signed-off-by: Eric W. Biederman kernel/ucount.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) parent commit ff1176468d368232b684f75e82563369208bc371 wasn't tested testing commit ff1176468d368232b684f75e82563369208bc371 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 2845620812eb64c4ec67b80468782faa9773f4bf524936775150f0f3f2563d43 culprit signature: 82fd8e73480d255b38537656c87cbbed4aef12acce22e2426c06400f9bce7b33 parent signature: 2845620812eb64c4ec67b80468782faa9773f4bf524936775150f0f3f2563d43 Reproducer flagged being flaky revisions tested: 15, total time: 4h17m26.390156232s (build: 1h57m17.131345536s, test: 2h18m14.720377104s) first good commit: 345daff2e994ee844d6a609c37f085695fbb4c4d ucounts: Fix race condition between alloc_ucounts and put_ucounts recipients (to): ["ebiederm@xmission.com" "legion@kernel.org" "linux-kernel@vger.kernel.org"] recipients (cc): ["ebiederm@xmission.com" "legion@kernel.org"]