[syzbot] [net?] KASAN: slab-use-after-free Read in taprio_dump

18 views

Skip to first unread message

syzbot

unread,

Dec 18, 2023, 9:33:28 AM12/18/23

to da...@davemloft.net, edum...@google.com, j...@mojatatu.com, ji...@resnulli.us, ku...@kernel.org, linux-...@vger.kernel.org, net...@vger.kernel.org, pab...@redhat.com, syzkall...@googlegroups.com, viniciu...@intel.com, xiyou.w...@gmail.com

Hello,

syzbot found the following issue on:

HEAD commit: d5b235ec8eab Merge branch 'for-next/core' into for-kernelci
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
console output: https://syzkaller.appspot.com/x/log.txt?x=126c1c8ae80000
kernel config: https://syzkaller.appspot.com/x/.config?x=f36ea342ce412b14
dashboard link: https://syzkaller.appspot.com/bug?extid=d4d8c0fd15a0abe39bcf
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=112380bae80000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15e40371e80000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/edab88544ce7/disk-d5b235ec.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/2d149255b78d/vmlinux-d5b235ec.xz
kernel image: https://storage.googleapis.com/syzbot-assets/c3bfc66db2fc/Image-d5b235ec.gz.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+d4d8c0...@syzkaller.appspotmail.com

==================================================================
BUG: KASAN: slab-use-after-free in taprio_dump_tc_entries net/sched/sch_taprio.c:2307 [inline]
BUG: KASAN: slab-use-after-free in taprio_dump+0x72c/0xb94 net/sched/sch_taprio.c:2420
Read of size 4 at addr ffff0000c1f660d8 by task syz-executor368/7987

CPU: 0 PID: 7987 Comm: syz-executor368 Not tainted 6.7.0-rc5-syzkaller-gd5b235ec8eab #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023
Call trace:
dump_backtrace+0x1b8/0x1e4 arch/arm64/kernel/stacktrace.c:291
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:298
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xd0/0x124 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:364 [inline]
print_report+0x174/0x514 mm/kasan/report.c:475
kasan_report+0xd8/0x138 mm/kasan/report.c:588
__asan_report_load4_noabort+0x20/0x2c mm/kasan/report_generic.c:380
taprio_dump_tc_entries net/sched/sch_taprio.c:2307 [inline]
taprio_dump+0x72c/0xb94 net/sched/sch_taprio.c:2420
tc_fill_qdisc+0x570/0xf1c net/sched/sch_api.c:952
qdisc_notify+0x1a0/0x338 net/sched/sch_api.c:1024
tc_modify_qdisc+0x16d4/0x1870 net/sched/sch_api.c:1719
rtnetlink_rcv_msg+0x748/0xdbc net/core/rtnetlink.c:6558
netlink_rcv_skb+0x214/0x3c4 net/netlink/af_netlink.c:2545
rtnetlink_rcv+0x28/0x38 net/core/rtnetlink.c:6576
netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline]
netlink_unicast+0x65c/0x898 net/netlink/af_netlink.c:1368
netlink_sendmsg+0x83c/0xb20 net/netlink/af_netlink.c:1910
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg net/socket.c:745 [inline]
____sys_sendmsg+0x56c/0x840 net/socket.c:2584
___sys_sendmsg net/socket.c:2638 [inline]
__sys_sendmsg+0x26c/0x33c net/socket.c:2667
__do_sys_sendmsg net/socket.c:2676 [inline]
__se_sys_sendmsg net/socket.c:2674 [inline]
__arm64_sys_sendmsg+0x80/0x94 net/socket.c:2674
__invoke_syscall arch/arm64/kernel/syscall.c:37 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:51
el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:136
do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:155
el0_svc+0x54/0x158 arch/arm64/kernel/entry-common.c:678
el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:696
el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:595

Allocated by task 7987:
kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x4c/0x7c mm/kasan/common.c:52
kasan_save_alloc_info+0x24/0x30 mm/kasan/generic.c:511
____kasan_kmalloc mm/kasan/common.c:374 [inline]
__kasan_kmalloc+0xac/0xc4 mm/kasan/common.c:383
kasan_kmalloc include/linux/kasan.h:198 [inline]
kmalloc_trace+0x70/0x88 mm/slab_common.c:1103
kmalloc include/linux/slab.h:600 [inline]
kzalloc include/linux/slab.h:721 [inline]
taprio_change+0xd74/0x3c54 net/sched/sch_taprio.c:1881
qdisc_change net/sched/sch_api.c:1387 [inline]
tc_modify_qdisc+0x1474/0x1870 net/sched/sch_api.c:1717
rtnetlink_rcv_msg+0x748/0xdbc net/core/rtnetlink.c:6558
netlink_rcv_skb+0x214/0x3c4 net/netlink/af_netlink.c:2545
rtnetlink_rcv+0x28/0x38 net/core/rtnetlink.c:6576
netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline]
netlink_unicast+0x65c/0x898 net/netlink/af_netlink.c:1368
netlink_sendmsg+0x83c/0xb20 net/netlink/af_netlink.c:1910
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg net/socket.c:745 [inline]
____sys_sendmsg+0x56c/0x840 net/socket.c:2584
___sys_sendmsg net/socket.c:2638 [inline]
__sys_sendmsg+0x26c/0x33c net/socket.c:2667
__do_sys_sendmsg net/socket.c:2676 [inline]
__se_sys_sendmsg net/socket.c:2674 [inline]
__arm64_sys_sendmsg+0x80/0x94 net/socket.c:2674
__invoke_syscall arch/arm64/kernel/syscall.c:37 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:51
el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:136
do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:155
el0_svc+0x54/0x158 arch/arm64/kernel/entry-common.c:678
el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:696
el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:595

Freed by task 40:
kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x4c/0x7c mm/kasan/common.c:52
kasan_save_free_info+0x38/0x5c mm/kasan/generic.c:522
____kasan_slab_free+0x144/0x1c0 mm/kasan/common.c:236
__kasan_slab_free+0x18/0x28 mm/kasan/common.c:244
kasan_slab_free include/linux/kasan.h:164 [inline]
slab_free_hook mm/slub.c:1800 [inline]
slab_free_freelist_hook mm/slub.c:1826 [inline]
slab_free mm/slub.c:3809 [inline]
__kmem_cache_free+0x2ac/0x480 mm/slub.c:3822
kfree+0xb8/0x19c mm/slab_common.c:1056
taprio_free_sched_cb+0x158/0x178 net/sched/sch_taprio.c:199
rcu_do_batch kernel/rcu/tree.c:2158 [inline]
rcu_core+0x890/0x1b34 kernel/rcu/tree.c:2431
rcu_core_si+0x10/0x1c kernel/rcu/tree.c:2448
__do_softirq+0x2d8/0xce4 kernel/softirq.c:553

Last potentially related work creation:
kasan_save_stack+0x40/0x6c mm/kasan/common.c:45
__kasan_record_aux_stack+0xcc/0xe8 mm/kasan/generic.c:492
kasan_record_aux_stack_noalloc+0x14/0x20 mm/kasan/generic.c:502
__call_rcu_common kernel/rcu/tree.c:2681 [inline]
call_rcu+0x104/0xaf4 kernel/rcu/tree.c:2795
switch_schedules net/sched/sch_taprio.c:210 [inline]
advance_sched+0x7e0/0xac0 net/sched/sch_taprio.c:984
__run_hrtimer kernel/time/hrtimer.c:1688 [inline]
__hrtimer_run_queues+0x484/0xca0 kernel/time/hrtimer.c:1752
hrtimer_interrupt+0x2c0/0xb64 kernel/time/hrtimer.c:1814
timer_handler drivers/clocksource/arm_arch_timer.c:674 [inline]
arch_timer_handler_virt+0x74/0x88 drivers/clocksource/arm_arch_timer.c:685
handle_percpu_devid_irq+0x2a4/0x804 kernel/irq/chip.c:942
generic_handle_irq_desc include/linux/irqdesc.h:161 [inline]
handle_irq_desc kernel/irq/irqdesc.c:672 [inline]
generic_handle_domain_irq+0x7c/0xc4 kernel/irq/irqdesc.c:728
__gic_handle_irq drivers/irqchip/irq-gic-v3.c:782 [inline]
__gic_handle_irq_from_irqson drivers/irqchip/irq-gic-v3.c:833 [inline]
gic_handle_irq+0x6c/0x190 drivers/irqchip/irq-gic-v3.c:877

Second to last potentially related work creation:
kasan_save_stack+0x40/0x6c mm/kasan/common.c:45
__kasan_record_aux_stack+0xcc/0xe8 mm/kasan/generic.c:492
kasan_record_aux_stack_noalloc+0x14/0x20 mm/kasan/generic.c:502
__call_rcu_common kernel/rcu/tree.c:2681 [inline]
call_rcu+0x104/0xaf4 kernel/rcu/tree.c:2795
switch_schedules net/sched/sch_taprio.c:210 [inline]
advance_sched+0x7e0/0xac0 net/sched/sch_taprio.c:984
__run_hrtimer kernel/time/hrtimer.c:1688 [inline]
__hrtimer_run_queues+0x484/0xca0 kernel/time/hrtimer.c:1752
hrtimer_interrupt+0x2c0/0xb64 kernel/time/hrtimer.c:1814
timer_handler drivers/clocksource/arm_arch_timer.c:674 [inline]
arch_timer_handler_virt+0x74/0x88 drivers/clocksource/arm_arch_timer.c:685
handle_percpu_devid_irq+0x2a4/0x804 kernel/irq/chip.c:942
generic_handle_irq_desc include/linux/irqdesc.h:161 [inline]
handle_irq_desc kernel/irq/irqdesc.c:672 [inline]
generic_handle_domain_irq+0x7c/0xc4 kernel/irq/irqdesc.c:728
__gic_handle_irq drivers/irqchip/irq-gic-v3.c:782 [inline]
__gic_handle_irq_from_irqson drivers/irqchip/irq-gic-v3.c:833 [inline]
gic_handle_irq+0x6c/0x190 drivers/irqchip/irq-gic-v3.c:877

The buggy address belongs to the object at ffff0000c1f66000
which belongs to the cache kmalloc-512 of size 512
The buggy address is located 216 bytes inside of
freed 512-byte region [ffff0000c1f66000, ffff0000c1f66200)

The buggy address belongs to the physical page:
page:00000000dead7e4a refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff0000c1f64800 pfn:0x101f64
head:00000000dead7e4a order:2 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0x5ffc00000000840(slab|head|node=0|zone=2|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 05ffc00000000840 ffff0000c0001c80 fffffc00036bd110 fffffc0003653210
raw: ffff0000c1f64800 000000000010000e 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
ffff0000c1f65f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff0000c1f66000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff0000c1f66080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff0000c1f66100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff0000c1f66180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Hillf Danton

unread,

Dec 19, 2023, 6:00:02 AM12/19/23

to syzbot, linux-...@vger.kernel.org, syzkall...@googlegroups.com

On Mon, 18 Dec 2023 06:33:26 -0800

> HEAD commit: d5b235ec8eab Merge branch 'for-next/core' into for-kernelci
> git tree: git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci

> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15e40371e80000

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git d5b235ec8eab

--- x/net/sched/sch_taprio.c
+++ y/net/sched/sch_taprio.c
@@ -2393,6 +2393,7 @@ static int taprio_dump(struct Qdisc *sch
struct sched_gate_list *oper, *admin;
struct tc_mqprio_qopt opt = { 0 };
struct nlattr *nest, *sched_nest;
+ int active = hrtimer_cancel(&q->advance_timer);

oper = rtnl_dereference(q->oper_sched);
admin = rtnl_dereference(q->admin_sched);
@@ -2436,6 +2437,10 @@ static int taprio_dump(struct Qdisc *sch
nla_nest_end(skb, sched_nest);

done:
+ if (active)
+ hrtimer_start(&q->advance_timer,
+ hrtimer_get_expires(&q->advance_timer),
+ HRTIMER_MODE_ABS);
return nla_nest_end(skb, nest);

admin_error:
@@ -2445,6 +2450,10 @@ options_error:
nla_nest_cancel(skb, nest);

start_error:
+ if (active)
+ hrtimer_start(&q->advance_timer,
+ hrtimer_get_expires(&q->advance_timer),
+ HRTIMER_MODE_ABS);
return -ENOSPC;
}

--

syzbot

unread,

Dec 19, 2023, 6:20:08 AM12/19/23

to hda...@sina.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in call_rcu

------------[ cut here ]------------
ODEBUG: activate active (active state 1) object: 00000000dde3d5ec object type: rcu_head hint: 0x0
WARNING: CPU: 0 PID: 6475 at lib/debugobjects.c:517 debug_print_object lib/debugobjects.c:514 [inline]
WARNING: CPU: 0 PID: 6475 at lib/debugobjects.c:517 debug_object_activate+0x578/0x7e0 lib/debugobjects.c:733
Modules linked in:
CPU: 0 PID: 6475 Comm: syz-executor.4 Not tainted 6.7.0-rc5-syzkaller-00083-gd5b235ec8eab-dirty #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023

pstate: 604000c5 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : debug_print_object lib/debugobjects.c:514 [inline]
pc : debug_object_activate+0x578/0x7e0 lib/debugobjects.c:733
lr : debug_print_object lib/debugobjects.c:514 [inline]
lr : debug_object_activate+0x578/0x7e0 lib/debugobjects.c:733
sp : ffff800080007a00
x29: ffff800080007ad0 x28: dfff800000000000 x27: ffff700010000f44
x26: 0000000000000000 x25: ffff0000e798f100 x24: 0000000000000000
x23: ffff80008a9af3a0 x22: ffff80008ae8cdc0 x21: 0000000000000001
x20: ffff80008a9af3a0 x19: ffff0000e798f100 x18: ffff800080006ee0
x17: 6535643365646430 x16: ffff80008a82f3a0 x15: 0000000000000001
x14: 1fffe0003682623a x13: 0000000000000000 x12: 0000000000000000
x11: 0000000000010004 x10: 0000000000ff0100 x9 : 20b7275ad0946800
x8 : 20b7275ad0946800 x7 : 0000000000000001 x6 : 0000000000000001
x5 : ffff8000800072f8 x4 : ffff80008e5d2600 x3 : ffff8000805ad1c0
x2 : 0000000000000001 x1 : 0000000100010002 x0 : 0000000000000000
Call trace:
debug_print_object lib/debugobjects.c:514 [inline]
debug_object_activate+0x578/0x7e0 lib/debugobjects.c:733
debug_rcu_head_queue kernel/rcu/rcu.h:227 [inline]
__call_rcu_common kernel/rcu/tree.c:2666 [inline]
call_rcu+0x48/0xaf4 kernel/rcu/tree.c:2795

switch_schedules net/sched/sch_taprio.c:210 [inline]
advance_sched+0x7e0/0xac0 net/sched/sch_taprio.c:984
__run_hrtimer kernel/time/hrtimer.c:1688 [inline]
__hrtimer_run_queues+0x484/0xca0 kernel/time/hrtimer.c:1752
hrtimer_interrupt+0x2c0/0xb64 kernel/time/hrtimer.c:1814
timer_handler drivers/clocksource/arm_arch_timer.c:674 [inline]
arch_timer_handler_virt+0x74/0x88 drivers/clocksource/arm_arch_timer.c:685
handle_percpu_devid_irq+0x2a4/0x804 kernel/irq/chip.c:942
generic_handle_irq_desc include/linux/irqdesc.h:161 [inline]
handle_irq_desc kernel/irq/irqdesc.c:672 [inline]
generic_handle_domain_irq+0x7c/0xc4 kernel/irq/irqdesc.c:728
__gic_handle_irq drivers/irqchip/irq-gic-v3.c:782 [inline]
__gic_handle_irq_from_irqson drivers/irqchip/irq-gic-v3.c:833 [inline]
gic_handle_irq+0x6c/0x190 drivers/irqchip/irq-gic-v3.c:877

call_on_irq_stack+0x24/0x4c arch/arm64/kernel/entry.S:886
do_interrupt_handler+0xd4/0x138 arch/arm64/kernel/entry-common.c:276
__el1_irq arch/arm64/kernel/entry-common.c:502 [inline]
el1_interrupt+0x34/0x68 arch/arm64/kernel/entry-common.c:517
el1h_64_irq_handler+0x18/0x24 arch/arm64/kernel/entry-common.c:522
el1h_64_irq+0x64/0x68 arch/arm64/kernel/entry.S:591
__daif_local_irq_enable arch/arm64/include/asm/irqflags.h:27 [inline]
arch_local_irq_enable arch/arm64/include/asm/irqflags.h:49 [inline]
raw_spin_rq_unlock_irq kernel/sched/sched.h:1361 [inline]
finish_lock_switch+0xc0/0x1e4 kernel/sched/core.c:5130
finish_task_switch+0x120/0x614 kernel/sched/core.c:5248
context_switch kernel/sched/core.c:5379 [inline]
__schedule+0x1358/0x2360 kernel/sched/core.c:6688
__schedule_loop kernel/sched/core.c:6763 [inline]
schedule+0xb8/0x19c kernel/sched/core.c:6778
do_nanosleep+0x170/0x504 kernel/time/hrtimer.c:2047
hrtimer_nanosleep+0x1c4/0x358 kernel/time/hrtimer.c:2100
common_nsleep+0xa8/0xc0 kernel/time/posix-timers.c:1350
__do_sys_clock_nanosleep kernel/time/posix-timers.c:1396 [inline]
__se_sys_clock_nanosleep kernel/time/posix-timers.c:1373 [inline]
__arm64_sys_clock_nanosleep+0x350/0x38c kernel/time/posix-timers.c:1373

__invoke_syscall arch/arm64/kernel/syscall.c:37 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:51
el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:136
do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:155
el0_svc+0x54/0x158 arch/arm64/kernel/entry-common.c:678
el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:696
el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:595

irq event stamp: 3966950
hardirqs last enabled at (3966949): [<ffff80008028f0b8>] raw_spin_rq_unlock_irq kernel/sched/sched.h:1361 [inline]
hardirqs last enabled at (3966949): [<ffff80008028f0b8>] finish_lock_switch+0xbc/0x1e4 kernel/sched/core.c:5130
hardirqs last disabled at (3966950): [<ffff80008a82af84>] __el1_irq arch/arm64/kernel/entry-common.c:499 [inline]
hardirqs last disabled at (3966950): [<ffff80008a82af84>] el1_interrupt+0x24/0x68 arch/arm64/kernel/entry-common.c:517
softirqs last enabled at (3966932): [<ffff80008002189c>] softirq_handle_end kernel/softirq.c:399 [inline]
softirqs last enabled at (3966932): [<ffff80008002189c>] __do_softirq+0xac8/0xce4 kernel/softirq.c:582
softirqs last disabled at (3966927): [<ffff80008002aadc>] ____do_softirq+0x14/0x20 arch/arm64/kernel/irq.c:81
---[ end trace 0000000000000000 ]---
------------[ cut here ]------------
ODEBUG: active_state active (active state 1) object: 00000000dde3d5ec object type: rcu_head hint: 0x0
WARNING: CPU: 0 PID: 6475 at lib/debugobjects.c:517 debug_print_object lib/debugobjects.c:514 [inline]
WARNING: CPU: 0 PID: 6475 at lib/debugobjects.c:517 debug_object_active_state+0x2e4/0x414 lib/debugobjects.c:993
Modules linked in:
CPU: 0 PID: 6475 Comm: syz-executor.4 Tainted: G W 6.7.0-rc5-syzkaller-00083-gd5b235ec8eab-dirty #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023

pstate: 604000c5 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : debug_print_object lib/debugobjects.c:514 [inline]
pc : debug_object_active_state+0x2e4/0x414 lib/debugobjects.c:993
lr : debug_print_object lib/debugobjects.c:514 [inline]
lr : debug_object_active_state+0x2e4/0x414 lib/debugobjects.c:993
sp : ffff800080007ac0
x29: ffff800080007ad0 x28: ffff80008e4f0000 x27: dfff800000000000
x26: 1fffe0001ae8f202 x25: ffff800092d4d000 x24: 1fffe0001ae8f203
x23: 0000000000000000 x22: ffff0000e798f100 x21: ffff80008a9af3a0
x20: ffff80008ae8cdc0 x19: 0000000000000001 x18: ffff800080006ee0
x17: 6564643030303030 x16: ffff80008a82f3a0 x15: 0000000000000001
x14: 1fffe0003682623a x13: 0000000000000000 x12: 0000000000000000
x11: 0000000000010004 x10: 0000000000ff0100 x9 : 20b7275ad0946800
x8 : 20b7275ad0946800 x7 : 0000000000000001 x6 : 0000000000000001
x5 : ffff8000800073b8 x4 : ffff80008e5d2600 x3 : ffff8000805ad1c0
x2 : 0000000000000001 x1 : 0000000100010002 x0 : 0000000000000000
Call trace:
debug_print_object lib/debugobjects.c:514 [inline]
debug_object_active_state+0x2e4/0x414 lib/debugobjects.c:993
debug_rcu_head_queue kernel/rcu/rcu.h:228 [inline]
__call_rcu_common kernel/rcu/tree.c:2666 [inline]
call_rcu+0x60/0xaf4 kernel/rcu/tree.c:2795

irq event stamp: 3966950
hardirqs last enabled at (3966949): [<ffff80008028f0b8>] raw_spin_rq_unlock_irq kernel/sched/sched.h:1361 [inline]
hardirqs last enabled at (3966949): [<ffff80008028f0b8>] finish_lock_switch+0xbc/0x1e4 kernel/sched/core.c:5130
hardirqs last disabled at (3966950): [<ffff80008a82af84>] __el1_irq arch/arm64/kernel/entry-common.c:499 [inline]
hardirqs last disabled at (3966950): [<ffff80008a82af84>] el1_interrupt+0x24/0x68 arch/arm64/kernel/entry-common.c:517
softirqs last enabled at (3966932): [<ffff80008002189c>] softirq_handle_end kernel/softirq.c:399 [inline]
softirqs last enabled at (3966932): [<ffff80008002189c>] __do_softirq+0xac8/0xce4 kernel/softirq.c:582
softirqs last disabled at (3966927): [<ffff80008002aadc>] ____do_softirq+0x14/0x20 arch/arm64/kernel/irq.c:81
---[ end trace 0000000000000000 ]---
rcu: __call_rcu_common(): Double-freed CB 00000000dde3d5ec->taprio_free_sched_cb+0x0/0x178()!!! slab kmalloc-512 start ffff0000e798f000 pointer offset 256 size 512

Tested on:

commit: d5b235ec Merge branch 'for-next/core' into for-kernelci
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=13e8c811e80000

kernel config: https://syzkaller.appspot.com/x/.config?x=f36ea342ce412b14
dashboard link: https://syzkaller.appspot.com/bug?extid=d4d8c0fd15a0abe39bcf
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64

patch: https://syzkaller.appspot.com/x/patch.diff?x=179f7076e80000

Hillf Danton

unread,

Dec 20, 2023, 6:16:26 AM12/20/23

to syzbot, linux-...@vger.kernel.org, syzkall...@googlegroups.com

On Mon, 18 Dec 2023 06:33:26 -0800

> HEAD commit: d5b235ec8eab Merge branch 'for-next/core' into for-kernelci
> git tree: git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci

@@ -1975,9 +1975,12 @@ static int taprio_change(struct Qdisc *s
goto unlock;
}

+ spin_lock_irqsave(&q->current_entry_lock, flags);
+ admin = rtnl_dereference(q->admin_sched);
rcu_assign_pointer(q->admin_sched, new_admin);
if (admin)
call_rcu(&admin->rcu, taprio_free_sched_cb);
+ spin_unlock_irqrestore(&q->current_entry_lock, flags);
} else {
setup_first_end_time(q, new_admin, start);

@@ -2393,6 +2396,7 @@ static int taprio_dump(struct Qdisc *sch

struct sched_gate_list *oper, *admin;
struct tc_mqprio_qopt opt = { 0 };
struct nlattr *nest, *sched_nest;
+ int active = hrtimer_cancel(&q->advance_timer);

oper = rtnl_dereference(q->oper_sched);
admin = rtnl_dereference(q->admin_sched);

@@ -2436,6 +2440,10 @@ static int taprio_dump(struct Qdisc *sch

nla_nest_end(skb, sched_nest);

done:
+ if (active)
+ hrtimer_start(&q->advance_timer,
+ hrtimer_get_expires(&q->advance_timer),
+ HRTIMER_MODE_ABS);
return nla_nest_end(skb, nest);

admin_error:

@@ -2445,6 +2453,10 @@ options_error:

syzbot

unread,

Dec 20, 2023, 7:44:06 AM12/20/23

to hda...@sina.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in call_rcu

------------[ cut here ]------------

ODEBUG: activate active (active state 1) object: 0000000040a741f2 object type: rcu_head hint: 0x0
WARNING: CPU: 0 PID: 10724 at lib/debugobjects.c:517 debug_print_object lib/debugobjects.c:514 [inline]
WARNING: CPU: 0 PID: 10724 at lib/debugobjects.c:517 debug_object_activate+0x578/0x7e0 lib/debugobjects.c:733
Modules linked in:
CPU: 0 PID: 10724 Comm: syz-executor.4 Not tainted 6.7.0-rc5-syzkaller-00083-gd5b235ec8eab-dirty #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023
pstate: 604000c5 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : debug_print_object lib/debugobjects.c:514 [inline]
pc : debug_object_activate+0x578/0x7e0 lib/debugobjects.c:733
lr : debug_print_object lib/debugobjects.c:514 [inline]
lr : debug_object_activate+0x578/0x7e0 lib/debugobjects.c:733
sp : ffff800080007a00
x29: ffff800080007ad0 x28: dfff800000000000 x27: ffff700010000f44

x26: 0000000000000000 x25: ffff0000da75c900 x24: 0000000000000000

x23: ffff80008a9af3a0 x22: ffff80008ae8cdc0 x21: 0000000000000001

x20: ffff80008a9af3a0 x19: ffff0000da75c900 x18: ffff800080006ee0
x17: 6631343761303430 x16: ffff80008a82f460 x15: 0000000000000001

x14: 1fffe0003682623a x13: 0000000000000000 x12: 0000000000000000

x11: 0000000000010004 x10: 0000000000ff0100 x9 : f1155cbcba9a1100
x8 : f1155cbcba9a1100 x7 : 0000000000000001 x6 : 0000000000000001

__daif_local_irq_restore arch/arm64/include/asm/irqflags.h:176 [inline]
arch_local_irq_restore arch/arm64/include/asm/irqflags.h:196 [inline]
__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:151 [inline]
_raw_spin_unlock_irqrestore+0x44/0x98 kernel/locking/spinlock.c:194
unlock_hrtimer_base kernel/time/hrtimer.c:1020 [inline]
hrtimer_start_range_ns+0x8a0/0x9ac kernel/time/hrtimer.c:1304
hrtimer_start include/linux/hrtimer.h:418 [inline]
taprio_dump+0xa40/0xc68 net/sched/sch_taprio.c:2444

tc_fill_qdisc+0x570/0xf1c net/sched/sch_api.c:952
qdisc_notify+0x1a0/0x338 net/sched/sch_api.c:1024
tc_modify_qdisc+0x16d4/0x1870 net/sched/sch_api.c:1719
rtnetlink_rcv_msg+0x748/0xdbc net/core/rtnetlink.c:6558
netlink_rcv_skb+0x214/0x3c4 net/netlink/af_netlink.c:2545
rtnetlink_rcv+0x28/0x38 net/core/rtnetlink.c:6576
netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline]
netlink_unicast+0x65c/0x898 net/netlink/af_netlink.c:1368
netlink_sendmsg+0x83c/0xb20 net/netlink/af_netlink.c:1910
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg net/socket.c:745 [inline]
____sys_sendmsg+0x56c/0x840 net/socket.c:2584
___sys_sendmsg net/socket.c:2638 [inline]
__sys_sendmsg+0x26c/0x33c net/socket.c:2667
__do_sys_sendmsg net/socket.c:2676 [inline]
__se_sys_sendmsg net/socket.c:2674 [inline]
__arm64_sys_sendmsg+0x80/0x94 net/socket.c:2674

irq event stamp: 2628
hardirqs last enabled at (2627): [<ffff80008a91ca44>] __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:151 [inline]
hardirqs last enabled at (2627): [<ffff80008a91ca44>] _raw_spin_unlock_irqrestore+0x38/0x98 kernel/locking/spinlock.c:194
hardirqs last disabled at (2628): [<ffff80008a82b044>] __el1_irq arch/arm64/kernel/entry-common.c:499 [inline]
hardirqs last disabled at (2628): [<ffff80008a82b044>] el1_interrupt+0x24/0x68 arch/arm64/kernel/entry-common.c:517
softirqs last enabled at (2616): [<ffff800088d03038>] spin_unlock_bh include/linux/spinlock.h:396 [inline]
softirqs last enabled at (2616): [<ffff800088d03038>] taprio_change+0x3504/0x3d40 net/sched/sch_taprio.c:2010
softirqs last disabled at (2608): [<ffff800088d029c0>] spin_lock_bh include/linux/spinlock.h:356 [inline]
softirqs last disabled at (2608): [<ffff800088d029c0>] taprio_change+0x2e8c/0x3d40 net/sched/sch_taprio.c:1943

---[ end trace 0000000000000000 ]---
------------[ cut here ]------------

ODEBUG: active_state active (active state 1) object: 0000000040a741f2 object type: rcu_head hint: 0x0
WARNING: CPU: 0 PID: 10724 at lib/debugobjects.c:517 debug_print_object lib/debugobjects.c:514 [inline]
WARNING: CPU: 0 PID: 10724 at lib/debugobjects.c:517 debug_object_active_state+0x2e4/0x414 lib/debugobjects.c:993
Modules linked in:
CPU: 0 PID: 10724 Comm: syz-executor.4 Tainted: G W 6.7.0-rc5-syzkaller-00083-gd5b235ec8eab-dirty #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023
pstate: 604000c5 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : debug_print_object lib/debugobjects.c:514 [inline]
pc : debug_object_active_state+0x2e4/0x414 lib/debugobjects.c:993
lr : debug_print_object lib/debugobjects.c:514 [inline]
lr : debug_object_active_state+0x2e4/0x414 lib/debugobjects.c:993
sp : ffff800080007ac0
x29: ffff800080007ad0 x28: ffff80008e4f0000 x27: dfff800000000000

x26: 1fffe0001ac85cf7 x25: ffff800092d4d000 x24: 1fffe0001ac85cf8
x23: 0000000000000000 x22: ffff0000da75c900 x21: ffff80008a9af3a0

x20: ffff80008ae8cdc0 x19: 0000000000000001 x18: ffff800080006ee0

x17: 6130343030303030 x16: ffff80008a82f460 x15: 0000000000000001

x14: 1fffe0003682623a x13: 0000000000000000 x12: 0000000000000000

x11: 0000000000010004 x10: 0000000000ff0100 x9 : f1155cbcba9a1100
x8 : f1155cbcba9a1100 x7 : 0000000000000001 x6 : 0000000000000001

---[ end trace 0000000000000000 ]---

rcu: __call_rcu_common(): Double-freed CB 0000000040a741f2->taprio_free_sched_cb+0x0/0x178()!!! slab kmalloc-512 start ffff0000da75c800 pointer offset 256 size 512

Tested on:

commit: d5b235ec Merge branch 'for-next/core' into for-kernelci
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git

console output: https://syzkaller.appspot.com/x/log.txt?x=11d6e2bee80000

patch: https://syzkaller.appspot.com/x/patch.diff?x=11e0f416e80000

Hillf Danton

unread,

Dec 20, 2023, 11:36:41 PM12/20/23

to syzbot, linux-...@vger.kernel.org, syzkall...@googlegroups.com

On Mon, 18 Dec 2023 06:33:26 -0800

> HEAD commit: d5b235ec8eab Merge branch 'for-next/core' into for-kernelci
> git tree: git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci

@@ -1941,6 +1941,9 @@ static int taprio_change(struct Qdisc *s

/* Protects against enqueue()/dequeue() */
spin_lock_bh(qdisc_lock(sch));
+ spin_lock_irqsave(&q->current_entry_lock, flags);
+ oper = rtnl_dereference(q->oper_sched);

+ admin = rtnl_dereference(q->admin_sched);

if (tb[TCA_TAPRIO_ATTR_TXTIME_DELAY]) {
if (!TXTIME_ASSIST_IS_ENABLED(q->flags)) {
@@ -1981,17 +1984,12 @@ static int taprio_change(struct Qdisc *s
} else {
setup_first_end_time(q, new_admin, start);

- /* Protects against advance_sched() */
- spin_lock_irqsave(&q->current_entry_lock, flags);
-
taprio_start_sched(sch, start, new_admin);

rcu_assign_pointer(q->admin_sched, new_admin);
if (admin)
call_rcu(&admin->rcu, taprio_free_sched_cb);

- spin_unlock_irqrestore(&q->current_entry_lock, flags);
-
if (FULL_OFFLOAD_IS_ENABLED(q->flags))
taprio_offload_config_changed(q);
}
@@ -2004,6 +2002,7 @@ static int taprio_change(struct Qdisc *s
"Size table not specified, frame length estimations may be inaccurate");

unlock:
+ spin_unlock_irqrestore(&q->current_entry_lock, flags);
spin_unlock_bh(qdisc_lock(sch));

free_sched:
@@ -2393,6 +2392,7 @@ static int taprio_dump(struct Qdisc *sch

@@ -2436,6 +2436,10 @@ static int taprio_dump(struct Qdisc *sch

nla_nest_end(skb, sched_nest);

done:
+ if (active)
+ hrtimer_start(&q->advance_timer,
+ hrtimer_get_expires(&q->advance_timer),
+ HRTIMER_MODE_ABS);
return nla_nest_end(skb, nest);

admin_error:

@@ -2445,6 +2449,10 @@ options_error:

syzbot

unread,

Dec 21, 2023, 12:02:08 AM12/21/23

to hda...@sina.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+d4d8c0...@syzkaller.appspotmail.com

Tested on:

commit: d5b235ec Merge branch 'for-next/core' into for-kernelci
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git

console output: https://syzkaller.appspot.com/x/log.txt?x=10924b06e80000

patch: https://syzkaller.appspot.com/x/patch.diff?x=177ca826e80000

Note: testing is done by a robot and is best-effort only.

Reply all

Reply to author

Forward

0 new messages