From: syzbot <syzbot+782984d6f1701b526edb@syzkaller.appspotmail.com>
To: gregkh@linuxfoundation.org, linux-kernel@vger.kernel.org,
syzkaller-bugs@googlegroups.com, tj@kernel.org
Subject: [syzbot] KASAN: use-after-free Read in kernfs_activate (2)
Date: Sun, 13 Nov 2022 07:40:56 -0800 [thread overview]
Message-ID: <000000000000e4e4fe05ed5bf2b0@google.com> (raw)
Hello,
syzbot found the following issue on:
HEAD commit: 59f2f4b8a757 fs/userfaultfd: Fix maple tree iterator in us..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=14e836fa880000
kernel config: https://syzkaller.appspot.com/x/.config?x=480ba0fb2fd243ac
dashboard link: https://syzkaller.appspot.com/bug?extid=782984d6f1701b526edb
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/619de907b82c/disk-59f2f4b8.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/bcd0dc7d69ef/vmlinux-59f2f4b8.xz
kernel image: https://storage.googleapis.com/syzbot-assets/a8dbe0bc7228/bzImage-59f2f4b8.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+782984d6f1701b526edb@syzkaller.appspotmail.com
usb 4-1: Direct firmware load for ueagle-atm/eagleII.fw failed with error -2
usb 4-1: Falling back to sysfs fallback for: ueagle-atm/eagleII.fw
==================================================================
BUG: KASAN: use-after-free in kernfs_root fs/kernfs/kernfs-internal.h:66 [inline]
BUG: KASAN: use-after-free in kernfs_next_descendant_post fs/kernfs/dir.c:1289 [inline]
BUG: KASAN: use-after-free in kernfs_activate+0xd0/0x3a0 fs/kernfs/dir.c:1344
Read of size 8 at addr ffff888079194b10 by task kworker/1:12/5383
CPU: 1 PID: 5383 Comm: kworker/1:12 Not tainted 6.1.0-rc4-syzkaller-00011-g59f2f4b8a757 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Workqueue: events request_firmware_work_func
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106
print_address_description+0x74/0x340 mm/kasan/report.c:284
print_report+0x107/0x220 mm/kasan/report.c:395
kasan_report+0x139/0x170 mm/kasan/report.c:495
kernfs_root fs/kernfs/kernfs-internal.h:66 [inline]
kernfs_next_descendant_post fs/kernfs/dir.c:1289 [inline]
kernfs_activate+0xd0/0x3a0 fs/kernfs/dir.c:1344
kernfs_add_one+0x465/0x560 fs/kernfs/dir.c:776
kernfs_create_dir_ns+0x1bf/0x220 fs/kernfs/dir.c:1021
sysfs_create_dir_ns+0x181/0x390 fs/sysfs/dir.c:59
create_dir lib/kobject.c:63 [inline]
kobject_add_internal+0x6dd/0xd10 lib/kobject.c:223
kobject_add_varg lib/kobject.c:358 [inline]
kobject_add+0x14c/0x210 lib/kobject.c:410
device_add+0x47d/0xf90 drivers/base/core.c:3452
fw_load_sysfs_fallback+0xd4/0x5e0 drivers/base/firmware_loader/fallback.c:82
fw_load_from_user_helper+0x12d/0x1f0 drivers/base/firmware_loader/fallback.c:158
_request_firmware+0x446/0x6a0 drivers/base/firmware_loader/main.c:856
request_firmware_work_func+0x125/0x270 drivers/base/firmware_loader/main.c:1105
process_one_work+0x81c/0xd10 kernel/workqueue.c:2289
worker_thread+0xb14/0x1330 kernel/workqueue.c:2436
kthread+0x266/0x300 kernel/kthread.c:376
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306
</TASK>
Allocated by task 5383:
kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x4c/0x70 mm/kasan/common.c:52
__kasan_slab_alloc+0x65/0x70 mm/kasan/common.c:325
kasan_slab_alloc include/linux/kasan.h:201 [inline]
slab_post_alloc_hook mm/slab.h:737 [inline]
slab_alloc_node mm/slub.c:3398 [inline]
slab_alloc mm/slub.c:3406 [inline]
__kmem_cache_alloc_lru mm/slub.c:3413 [inline]
kmem_cache_alloc+0x1cc/0x300 mm/slub.c:3422
kmem_cache_zalloc include/linux/slab.h:702 [inline]
__kernfs_new_node+0xdb/0x730 fs/kernfs/dir.c:603
kernfs_new_node fs/kernfs/dir.c:665 [inline]
kernfs_create_dir_ns+0x90/0x220 fs/kernfs/dir.c:1011
sysfs_create_dir_ns+0x181/0x390 fs/sysfs/dir.c:59
create_dir lib/kobject.c:63 [inline]
kobject_add_internal+0x6dd/0xd10 lib/kobject.c:223
kobject_add_varg lib/kobject.c:358 [inline]
kobject_add+0x14c/0x210 lib/kobject.c:410
device_add+0x47d/0xf90 drivers/base/core.c:3452
fw_load_sysfs_fallback+0xd4/0x5e0 drivers/base/firmware_loader/fallback.c:82
fw_load_from_user_helper+0x12d/0x1f0 drivers/base/firmware_loader/fallback.c:158
_request_firmware+0x446/0x6a0 drivers/base/firmware_loader/main.c:856
request_firmware_work_func+0x125/0x270 drivers/base/firmware_loader/main.c:1105
process_one_work+0x81c/0xd10 kernel/workqueue.c:2289
worker_thread+0xb14/0x1330 kernel/workqueue.c:2436
kthread+0x266/0x300 kernel/kthread.c:376
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306
Freed by task 3754:
kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x4c/0x70 mm/kasan/common.c:52
kasan_save_free_info+0x27/0x40 mm/kasan/generic.c:511
____kasan_slab_free+0xd6/0x120 mm/kasan/common.c:236
kasan_slab_free include/linux/kasan.h:177 [inline]
slab_free_hook mm/slub.c:1724 [inline]
slab_free_freelist_hook+0x12e/0x1a0 mm/slub.c:1750
slab_free mm/slub.c:3661 [inline]
kmem_cache_free+0x94/0x1d0 mm/slub.c:3683
kernfs_put+0x340/0x490 fs/kernfs/dir.c:557
__kernfs_remove+0x980/0xa90 fs/kernfs/dir.c:1443
kernfs_remove+0x76/0x90 fs/kernfs/dir.c:1463
__kobject_del+0xdc/0x300 lib/kobject.c:588
kobject_del+0x41/0x60 lib/kobject.c:611
device_del+0xa10/0xbe0 drivers/base/core.c:3715
usb_disconnect+0x56e/0x890 drivers/usb/core/hub.c:2261
hub_port_connect+0x296/0x2910 drivers/usb/core/hub.c:5197
hub_port_connect_change+0x619/0xbe0 drivers/usb/core/hub.c:5497
port_event+0xec6/0x13b0 drivers/usb/core/hub.c:5653
hub_event+0x5c1/0xd80 drivers/usb/core/hub.c:5735
process_one_work+0x81c/0xd10 kernel/workqueue.c:2289
process_scheduled_works kernel/workqueue.c:2352 [inline]
worker_thread+0xe16/0x1330 kernel/workqueue.c:2438
kthread+0x266/0x300 kernel/kthread.c:376
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306
The buggy address belongs to the object at ffff888079194ae0
which belongs to the cache kernfs_node_cache of size 168
The buggy address is located 48 bytes inside of
168-byte region [ffff888079194ae0, ffff888079194b88)
The buggy address belongs to the physical page:
page:ffffea0001e46500 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x79194
flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000200 ffffea00009ddc80 dead000000000004 ffff8880121d5dc0
raw: 0000000000000000 0000000080110011 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 3659, tgid 3659 (syz-executor.4), ts 217350520729, free_ts 217156331022
prep_new_page mm/page_alloc.c:2539 [inline]
get_page_from_freelist+0x72b/0x7a0 mm/page_alloc.c:4288
__alloc_pages+0x259/0x560 mm/page_alloc.c:5555
alloc_slab_page+0x70/0xf0 mm/slub.c:1794
allocate_slab+0x5e/0x4b0 mm/slub.c:1939
new_slab mm/slub.c:1992 [inline]
___slab_alloc+0x7f4/0xeb0 mm/slub.c:3180
__slab_alloc mm/slub.c:3279 [inline]
slab_alloc_node mm/slub.c:3364 [inline]
slab_alloc mm/slub.c:3406 [inline]
__kmem_cache_alloc_lru mm/slub.c:3413 [inline]
kmem_cache_alloc+0x24c/0x300 mm/slub.c:3422
kmem_cache_zalloc include/linux/slab.h:702 [inline]
__kernfs_new_node+0xdb/0x730 fs/kernfs/dir.c:603
kernfs_new_node fs/kernfs/dir.c:665 [inline]
kernfs_create_dir_ns+0x90/0x220 fs/kernfs/dir.c:1011
sysfs_create_dir_ns+0x181/0x390 fs/sysfs/dir.c:59
create_dir lib/kobject.c:63 [inline]
kobject_add_internal+0x6dd/0xd10 lib/kobject.c:223
kset_register lib/kobject.c:846 [inline]
kset_create_and_add+0x201/0x280 lib/kobject.c:983
register_queue_kobjects net/core/net-sysfs.c:1766 [inline]
netdev_register_kobject+0x1a2/0x310 net/core/net-sysfs.c:2019
register_netdevice+0x136c/0x1a20 net/core/dev.c:10057
veth_newlink+0x638/0xd10 drivers/net/veth.c:1764
rtnl_newlink_create net/core/rtnetlink.c:3364 [inline]
__rtnl_newlink net/core/rtnetlink.c:3581 [inline]
rtnl_newlink+0x14ed/0x2060 net/core/rtnetlink.c:3594
rtnetlink_rcv_msg+0x7b8/0xe90 net/core/rtnetlink.c:6091
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1459 [inline]
free_pcp_prepare+0x80c/0x8f0 mm/page_alloc.c:1509
free_unref_page_prepare mm/page_alloc.c:3387 [inline]
free_unref_page+0x7d/0x630 mm/page_alloc.c:3483
free_slab mm/slub.c:2031 [inline]
discard_slab mm/slub.c:2037 [inline]
__unfreeze_partials+0x1ab/0x200 mm/slub.c:2586
put_cpu_partial+0x116/0x180 mm/slub.c:2662
qlist_free_all+0x2b/0x70 mm/kasan/quarantine.c:187
kasan_quarantine_reduce+0x169/0x180 mm/kasan/quarantine.c:294
__kasan_slab_alloc+0x1f/0x70 mm/kasan/common.c:302
kasan_slab_alloc include/linux/kasan.h:201 [inline]
slab_post_alloc_hook mm/slab.h:737 [inline]
slab_alloc_node mm/slub.c:3398 [inline]
__kmem_cache_alloc_node+0x1d7/0x310 mm/slub.c:3437
kmalloc_trace+0x26/0x60 mm/slab_common.c:1046
kmalloc include/linux/slab.h:576 [inline]
kzalloc include/linux/slab.h:712 [inline]
kobject_uevent_env+0x33a/0x8e0 lib/kobject_uevent.c:524
__kobject_del+0xcd/0x300 lib/kobject.c:585
kobject_cleanup+0x25d/0x470 lib/kobject.c:664
netdev_queue_update_kobjects+0x417/0x4c0 net/core/net-sysfs.c:1733
netif_set_real_num_tx_queues+0x16d/0x880 net/core/dev.c:2893
veth_init_queues+0x81/0x170 drivers/net/veth.c:1687
veth_newlink+0xa59/0xd10 drivers/net/veth.c:1813
Memory state around the buggy address:
ffff888079194a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888079194a80: fb fb fb fb fc fc fc fc fc fc fc fc fa fb fb fb
>ffff888079194b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888079194b80: fb fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00
ffff888079194c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
next reply other threads:[~2022-11-13 15:41 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-11-13 15:40 syzbot [this message]
2022-11-14 21:42 ` [syzbot] KASAN: use-after-free Read in kernfs_activate (2) Tejun Heo
2022-11-15 6:12 ` Dmitry Vyukov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=000000000000e4e4fe05ed5bf2b0@google.com \
--to=syzbot+782984d6f1701b526edb@syzkaller.appspotmail.com \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=syzkaller-bugs@googlegroups.com \
--cc=tj@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.