All of lore.kernel.org
 help / color / mirror / Atom feed
From: syzbot <syzbot+6bc35f3913193fe7f0d3@syzkaller.appspotmail.com>
To: gregkh@linuxfoundation.org, linux-kernel@vger.kernel.org,
	syzkaller-bugs@googlegroups.com, tj@kernel.org
Subject: Re: [syzbot] KASAN: use-after-free Read in kernfs_next_descendant_post (2)
Date: Thu, 20 Oct 2022 00:15:40 -0700	[thread overview]
Message-ID: <000000000000c183f505eb721745@google.com> (raw)
In-Reply-To: <0000000000003a95ce05cd867417@google.com>

syzbot has found a reproducer for the following issue on:

HEAD commit:    55be6084c8e0 Merge tag 'timers-core-2022-10-05' of git://g..
git tree:       upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=1449d53c880000
kernel config:  https://syzkaller.appspot.com/x/.config?x=df75278aabf0681a
dashboard link: https://syzkaller.appspot.com/bug?extid=6bc35f3913193fe7f0d3
compiler:       gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=14e01c72880000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1128908c880000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/6c791937c012/disk-55be6084.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/cb21a2879b4c/vmlinux-55be6084.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+6bc35f3913193fe7f0d3@syzkaller.appspotmail.com

usb 1-1: Direct firmware load for ueagle-atm/eagleI.fw failed with error -2
usb 1-1: Falling back to sysfs fallback for: ueagle-atm/eagleI.fw
==================================================================
BUG: KASAN: use-after-free in kernfs_type include/linux/kernfs.h:337 [inline]
BUG: KASAN: use-after-free in kernfs_leftmost_descendant fs/kernfs/dir.c:1262 [inline]
BUG: KASAN: use-after-free in kernfs_next_descendant_post+0x22a/0x2f0 fs/kernfs/dir.c:1293
Read of size 2 at addr ffff88814591c180 by task kworker/0:2/140

CPU: 0 PID: 140 Comm: kworker/0:2 Not tainted 6.0.0-syzkaller-09589-g55be6084c8e0 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022
Workqueue: events request_firmware_work_func
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:317 [inline]
 print_report.cold+0x2ba/0x719 mm/kasan/report.c:433
 kasan_report+0xb1/0x1e0 mm/kasan/report.c:495
 kernfs_type include/linux/kernfs.h:337 [inline]
 kernfs_leftmost_descendant fs/kernfs/dir.c:1262 [inline]
 kernfs_next_descendant_post+0x22a/0x2f0 fs/kernfs/dir.c:1293
 kernfs_activate fs/kernfs/dir.c:1344 [inline]
 kernfs_add_one+0x38d/0x4e0 fs/kernfs/dir.c:776
 kernfs_create_dir_ns+0x18b/0x220 fs/kernfs/dir.c:1021
 sysfs_create_dir_ns+0x127/0x290 fs/sysfs/dir.c:59
 create_dir lib/kobject.c:63 [inline]
 kobject_add_internal+0x2c9/0x8f0 lib/kobject.c:223
 kobject_add_varg lib/kobject.c:358 [inline]
 kobject_add+0x150/0x1c0 lib/kobject.c:410
 class_dir_create_and_add drivers/base/core.c:3054 [inline]
 get_device_parent+0x3d7/0x590 drivers/base/core.c:3109
 device_add+0x2aa/0x1e90 drivers/base/core.c:3438
 fw_load_sysfs_fallback drivers/base/firmware_loader/fallback.c:82 [inline]
 fw_load_from_user_helper drivers/base/firmware_loader/fallback.c:158 [inline]
 firmware_fallback_sysfs+0x2d5/0xba0 drivers/base/firmware_loader/fallback.c:234
 _request_firmware+0xbca/0x1190 drivers/base/firmware_loader/main.c:856
 request_firmware_work_func+0xdd/0x230 drivers/base/firmware_loader/main.c:1105
 process_one_work+0x991/0x1610 kernel/workqueue.c:2289
 worker_thread+0x665/0x1080 kernel/workqueue.c:2436
 kthread+0x2e4/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306
 </TASK>

Allocated by task 140:
 kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
 kasan_set_track mm/kasan/common.c:45 [inline]
 set_alloc_info mm/kasan/common.c:437 [inline]
 __kasan_slab_alloc+0x90/0xc0 mm/kasan/common.c:470
 kasan_slab_alloc include/linux/kasan.h:224 [inline]
 slab_post_alloc_hook mm/slab.h:727 [inline]
 slab_alloc_node mm/slub.c:3248 [inline]
 slab_alloc mm/slub.c:3256 [inline]
 __kmem_cache_alloc_lru mm/slub.c:3263 [inline]
 kmem_cache_alloc+0x267/0x3b0 mm/slub.c:3273
 kmem_cache_zalloc include/linux/slab.h:723 [inline]
 __kernfs_new_node+0xd4/0x8b0 fs/kernfs/dir.c:603
 kernfs_new_node fs/kernfs/dir.c:665 [inline]
 kernfs_create_dir_ns+0x9c/0x220 fs/kernfs/dir.c:1011
 sysfs_create_dir_ns+0x127/0x290 fs/sysfs/dir.c:59
 create_dir lib/kobject.c:63 [inline]
 kobject_add_internal+0x2c9/0x8f0 lib/kobject.c:223
 kobject_add_varg lib/kobject.c:358 [inline]
 kobject_add+0x150/0x1c0 lib/kobject.c:410
 class_dir_create_and_add drivers/base/core.c:3054 [inline]
 get_device_parent+0x3d7/0x590 drivers/base/core.c:3109
 device_add+0x2aa/0x1e90 drivers/base/core.c:3438
 fw_load_sysfs_fallback drivers/base/firmware_loader/fallback.c:82 [inline]
 fw_load_from_user_helper drivers/base/firmware_loader/fallback.c:158 [inline]
 firmware_fallback_sysfs+0x2d5/0xba0 drivers/base/firmware_loader/fallback.c:234
 _request_firmware+0xbca/0x1190 drivers/base/firmware_loader/main.c:856
 request_firmware_work_func+0xdd/0x230 drivers/base/firmware_loader/main.c:1105
 process_one_work+0x991/0x1610 kernel/workqueue.c:2289
 worker_thread+0x665/0x1080 kernel/workqueue.c:2436
 kthread+0x2e4/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306

Freed by task 2933:
 kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
 kasan_set_track+0x21/0x30 mm/kasan/common.c:45
 kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:370
 ____kasan_slab_free mm/kasan/common.c:367 [inline]
 ____kasan_slab_free+0x166/0x1c0 mm/kasan/common.c:329
 kasan_slab_free include/linux/kasan.h:200 [inline]
 slab_free_hook mm/slub.c:1759 [inline]
 slab_free_freelist_hook+0x8b/0x1c0 mm/slub.c:1785
 slab_free mm/slub.c:3539 [inline]
 kmem_cache_free+0xeb/0x5b0 mm/slub.c:3556
 kernfs_put.part.0+0x2c4/0x540 fs/kernfs/dir.c:557
 kernfs_put+0x42/0x50 fs/kernfs/dir.c:531
 __kernfs_remove+0x463/0x600 fs/kernfs/dir.c:1443
 kernfs_remove+0x77/0xa0 fs/kernfs/dir.c:1463
 sysfs_remove_dir+0xc1/0x100 fs/sysfs/dir.c:101
 __kobject_del+0xe2/0x1f0 lib/kobject.c:588
 kobject_del lib/kobject.c:611 [inline]
 kobject_del+0x3c/0x60 lib/kobject.c:603
 device_del+0x81c/0xc80 drivers/base/core.c:3715
 usb_disconnect.cold+0x49b/0x6ed drivers/usb/core/hub.c:2261
 hub_port_connect drivers/usb/core/hub.c:5197 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5497 [inline]
 port_event drivers/usb/core/hub.c:5653 [inline]
 hub_event+0x1f86/0x45e0 drivers/usb/core/hub.c:5735
 process_one_work+0x991/0x1610 kernel/workqueue.c:2289
 process_scheduled_works kernel/workqueue.c:2352 [inline]
 worker_thread+0x854/0x1080 kernel/workqueue.c:2438
 kthread+0x2e4/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306

The buggy address belongs to the object at ffff88814591c0e8
 which belongs to the cache kernfs_node_cache of size 168
The buggy address is located 152 bytes inside of
 168-byte region [ffff88814591c0e8, ffff88814591c190)

The buggy address belongs to the physical page:
page:ffffea0005164700 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x14591c
flags: 0x57ff00000000200(slab|node=1|zone=2|lastcpupid=0x7ff)
raw: 057ff00000000200 0000000000000000 dead000000000001 ffff8880119dbb40
raw: 0000000000000000 0000000080110011 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 1, tgid 1 (swapper/0), ts 1564996231, free_ts 0
 prep_new_page mm/page_alloc.c:2532 [inline]
 get_page_from_freelist+0x109b/0x2ce0 mm/page_alloc.c:4283
 __alloc_pages+0x1c7/0x510 mm/page_alloc.c:5549
 alloc_page_interleave+0x1e/0x200 mm/mempolicy.c:2103
 alloc_pages+0x22f/0x270 mm/mempolicy.c:2265
 alloc_slab_page mm/slub.c:1829 [inline]
 allocate_slab+0x27e/0x3d0 mm/slub.c:1974
 new_slab mm/slub.c:2034 [inline]
 ___slab_alloc+0x84f/0xe80 mm/slub.c:3036
 __slab_alloc.constprop.0+0x4d/0xa0 mm/slub.c:3123
 slab_alloc_node mm/slub.c:3214 [inline]
 slab_alloc mm/slub.c:3256 [inline]
 __kmem_cache_alloc_lru mm/slub.c:3263 [inline]
 kmem_cache_alloc+0x38c/0x3b0 mm/slub.c:3273
 kmem_cache_zalloc include/linux/slab.h:723 [inline]
 __kernfs_new_node+0xd4/0x8b0 fs/kernfs/dir.c:603
 kernfs_new_node+0x93/0x120 fs/kernfs/dir.c:665
 __kernfs_create_file+0x51/0x350 fs/kernfs/file.c:1043
 sysfs_add_file_mode_ns+0x20f/0x3f0 fs/sysfs/file.c:294
 create_files fs/sysfs/group.c:64 [inline]
 internal_create_group+0x322/0xb10 fs/sysfs/group.c:148
 kernel_add_sysfs_param kernel/params.c:814 [inline]
 param_sysfs_builtin kernel/params.c:851 [inline]
 param_sysfs_init+0x342/0x43b kernel/params.c:970
 do_one_initcall+0xfe/0x650 init/main.c:1296
 do_initcall_level init/main.c:1369 [inline]
 do_initcalls init/main.c:1385 [inline]
 do_basic_setup init/main.c:1404 [inline]
 kernel_init_freeable+0x6b1/0x73a init/main.c:1623
page_owner free stack trace missing

Memory state around the buggy address:
 ffff88814591c080: fb fb fb fb fb fc fc fc fc fc fc fc fc fa fb fb
 ffff88814591c100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88814591c180: fb fb fc fc fc fc fc fc fc fc fa fb fb fb fb fb
                   ^
 ffff88814591c200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc
 ffff88814591c280: fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb fb
==================================================================


  reply	other threads:[~2022-10-20  7:17 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-10-04 12:57 [syzbot] KASAN: use-after-free Read in kernfs_next_descendant_post (2) syzbot
2022-10-20  7:15 ` syzbot [this message]
     [not found]   ` <20221021225228.1750-1-hdanton@sina.com>
2022-10-22  6:55     ` syzbot
2022-10-31 22:53     ` Tejun Heo
2022-11-14 17:34       ` Luis Chamberlain
2022-11-14 18:07         ` Dmitry Torokhov
2022-11-15 19:35           ` Luis Chamberlain
2022-11-15 20:12             ` Dmitry Torokhov
2022-11-15 22:14             ` Tejun Heo
2022-11-15  6:27         ` Dmitry Vyukov
     [not found] <20221020105004.1341-1-hdanton@sina.com>
2022-10-20 21:30 ` syzbot
     [not found] <20221021032341.1481-1-hdanton@sina.com>
2022-10-21  3:45 ` syzbot
     [not found] <20221021071306.1535-1-hdanton@sina.com>
2022-10-21  7:29 ` syzbot
     [not found] <20221021092625.1602-1-hdanton@sina.com>
2022-10-21  9:44 ` syzbot
     [not found] <20221021133530.1693-1-hdanton@sina.com>
2022-10-21 13:59 ` syzbot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=000000000000c183f505eb721745@google.com \
    --to=syzbot+6bc35f3913193fe7f0d3@syzkaller.appspotmail.com \
    --cc=gregkh@linuxfoundation.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=syzkaller-bugs@googlegroups.com \
    --cc=tj@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.