Hello,
syzbot found the following issue on:
HEAD commit: 4944ec82ebb9 Merge 5.10.76 into android12-5.10-lts
git tree: android12-5.10-lts
console output:
https://syzkaller.appspot.com/x/log.txt?x=102883e2b00000
kernel config:
https://syzkaller.appspot.com/x/.config?x=a9fabc39a1bc8139
dashboard link:
https://syzkaller.appspot.com/bug?extid=d504c282c2815ccf0fca
compiler: Debian clang version 11.0.1-2, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro:
https://syzkaller.appspot.com/x/repro.syz?x=144948bcb00000
C reproducer:
https://syzkaller.appspot.com/x/repro.c?x=13bc7e22b00000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by:
syzbot+d504c2...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: double-free or invalid-free in slab_free mm/slub.c:3204 [inline]
BUG: KASAN: double-free or invalid-free in kfree+0xd5/0x320 mm/slub.c:4192
CPU: 1 PID: 745 Comm: syz-executor107 Not tainted 5.10.76-syzkaller-01178-g4944ec82ebb9 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack_lvl+0x1e2/0x24b lib/dump_stack.c:118
print_address_description+0x8d/0x3d0 mm/kasan/report.c:233
kasan_report_invalid_free+0x58/0x130 mm/kasan/report.c:358
____kasan_slab_free+0x14b/0x170 mm/kasan/common.c:362
__kasan_slab_free+0x11/0x20 mm/kasan/common.c:368
kasan_slab_free include/linux/kasan.h:235 [inline]
slab_free_hook mm/slub.c:1596 [inline]
slab_free_freelist_hook+0xcc/0x1a0 mm/slub.c:1622
slab_free mm/slub.c:3204 [inline]
kfree+0xd5/0x320 mm/slub.c:4192
io_put_identity fs/io_uring.c:1262 [inline]
io_req_clean_work fs/io_uring.c:1300 [inline]
io_dismantle_req+0x9b0/0xd90 fs/io_uring.c:1896
io_req_free_batch fs/io_uring.c:2200 [inline]
io_iopoll_complete fs/io_uring.c:2375 [inline]
io_do_iopoll+0x13b4/0x23f0 fs/io_uring.c:2431
io_iopoll_try_reap_events+0x116/0x290 fs/io_uring.c:2470
__io_uring_cancel_task_requests fs/io_uring.c:8713 [inline]
io_uring_cancel_task_requests+0x196d/0x1ed0 fs/io_uring.c:8762
io_uring_flush+0x170/0x6d0 fs/io_uring.c:8923
filp_close+0xb0/0x150 fs/open.c:1319
close_files fs/file.c:401 [inline]
put_files_struct+0x1d4/0x350 fs/file.c:429
exit_files+0x80/0xa0 fs/file.c:458
do_exit+0x6d9/0x23a0 kernel/exit.c:808
do_group_exit+0x16a/0x2d0 kernel/exit.c:910
get_signal+0x133e/0x1f80 kernel/signal.c:2790
arch_do_signal+0x8d/0x620 arch/x86/kernel/signal.c:805
exit_to_user_mode_loop kernel/entry/common.c:161 [inline]
exit_to_user_mode_prepare+0xaa/0xe0 kernel/entry/common.c:191
syscall_exit_to_user_mode+0x24/0x40 kernel/entry/common.c:266
do_syscall_64+0x3d/0x70 arch/x86/entry/common.c:56
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x7f4c2f5144f9
Code: Unable to access opcode bytes at RIP 0x7f4c2f5144cf.
RSP: 002b:00007f4c2f4a4218 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 00007f4c2f59c438 RCX: 00007f4c2f5144f9
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007f4c2f59c438
RBP: 00007f4c2f59c430 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f4c2f59c43c
R13: 00007ffd3aa4160f R14: 00007f4c2f4a4300 R15: 0000000000022000
Allocated by task 739:
kasan_save_stack mm/kasan/common.c:38 [inline]
kasan_set_track mm/kasan/common.c:46 [inline]
set_alloc_info mm/kasan/common.c:428 [inline]
____kasan_kmalloc+0xdc/0x110 mm/kasan/common.c:507
__kasan_kmalloc+0x9/0x10 mm/kasan/common.c:516
kasan_kmalloc include/linux/kasan.h:269 [inline]
kmem_cache_alloc_trace+0x210/0x3a0 mm/slub.c:2975
kmalloc include/linux/slab.h:552 [inline]
io_uring_alloc_task_context+0x57/0x550 fs/io_uring.c:7901
io_uring_add_task_file+0x1f7/0x290 fs/io_uring.c:8779
io_uring_install_fd fs/io_uring.c:9313 [inline]
io_uring_create+0x2195/0x3490 fs/io_uring.c:9515
io_uring_setup fs/io_uring.c:9554 [inline]
__do_sys_io_uring_setup fs/io_uring.c:9560 [inline]
__se_sys_io_uring_setup fs/io_uring.c:9557 [inline]
__x64_sys_io_uring_setup+0x1ce/0x290 fs/io_uring.c:9557
do_syscall_64+0x31/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
The buggy address belongs to the object at ffff88811dccd600
which belongs to the cache kmalloc-192 of size 192
The buggy address is located 88 bytes inside of
192-byte region [ffff88811dccd600, ffff88811dccd6c0)
The buggy address belongs to the page:
page:ffffea0004773340 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11dccd
flags: 0x8000000000000200(slab)
raw: 8000000000000200 dead000000000100 dead000000000122 ffff888100043380
raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 719, ts 38590936224, free_ts 38401483063
set_page_owner include/linux/page_owner.h:35 [inline]
post_alloc_hook mm/page_alloc.c:2385 [inline]
prep_new_page mm/page_alloc.c:2391 [inline]
get_page_from_freelist+0xa74/0xa90 mm/page_alloc.c:4063
__alloc_pages_nodemask+0x3c8/0x820 mm/page_alloc.c:5106
alloc_slab_page mm/slub.c:1807 [inline]
allocate_slab+0x6b/0x350 mm/slub.c:1809
new_slab mm/slub.c:1870 [inline]
new_slab_objects mm/slub.c:2629 [inline]
___slab_alloc+0x143/0x2f0 mm/slub.c:2792
__slab_alloc mm/slub.c:2832 [inline]
slab_alloc_node mm/slub.c:2914 [inline]
slab_alloc mm/slub.c:2956 [inline]
kmem_cache_alloc_trace+0x278/0x3a0 mm/slub.c:2973
kmalloc include/linux/slab.h:552 [inline]
io_uring_alloc_task_context+0x57/0x550 fs/io_uring.c:7901
io_sq_offload_create fs/io_uring.c:7987 [inline]
io_uring_create+0x27dc/0x3490 fs/io_uring.c:9470
io_uring_setup fs/io_uring.c:9554 [inline]
__do_sys_io_uring_setup fs/io_uring.c:9560 [inline]
__se_sys_io_uring_setup fs/io_uring.c:9557 [inline]
__x64_sys_io_uring_setup+0x1ce/0x290 fs/io_uring.c:9557
do_syscall_64+0x31/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
page last free stack trace:
reset_page_owner include/linux/page_owner.h:28 [inline]
free_pages_prepare mm/page_alloc.c:1331 [inline]
free_pcp_prepare+0x18f/0x1c0 mm/page_alloc.c:1405
free_unref_page_prepare mm/page_alloc.c:3291 [inline]
free_unref_page mm/page_alloc.c:3341 [inline]
free_the_page mm/page_alloc.c:5165 [inline]
__free_pages+0x2e3/0x4a0 mm/page_alloc.c:5173
free_pages+0x7c/0x90 mm/page_alloc.c:5184
tlb_batch_list_free mm/mmu_gather.c:61 [inline]
tlb_finish_mmu+0x123/0x1f0 mm/mmu_gather.c:331
exit_mmap+0x2e8/0x570 mm/mmap.c:3326
__mmput+0x95/0x2c0 kernel/fork.c:1128
mmput+0x4b/0x50 kernel/fork.c:1149
exit_mm+0x615/0x7e0 kernel/exit.c:489
do_exit+0x6c4/0x23a0 kernel/exit.c:800
do_group_exit+0x16a/0x2d0 kernel/exit.c:910
get_signal+0x133e/0x1f80 kernel/signal.c:2790
arch_do_signal+0x8d/0x620 arch/x86/kernel/signal.c:805
exit_to_user_mode_loop kernel/entry/common.c:161 [inline]
exit_to_user_mode_prepare+0xaa/0xe0 kernel/entry/common.c:191
syscall_exit_to_user_mode+0x24/0x40 kernel/entry/common.c:266
do_syscall_64+0x3d/0x70 arch/x86/entry/common.c:56
entry_SYSCALL_64_after_hwframe+0x44/0xa9
Memory state around the buggy address:
ffff88811dccd500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff88811dccd580: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88811dccd600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
^
ffff88811dccd680: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
ffff88811dccd700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
---
This report is generated by a bot. It may contain errors.
See
https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at
syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches