[syzbot] KASAN: use-after-free Read in kernfs_add_one
31 views
Skip to first unread message
syzbot
Sep 22, 2021, 2:56:31 AM9/22/21
to gre...@linuxfoundation.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com, t...@kernel.org
Hello,
syzbot found the following issue on:
HEAD commit: ddf21bd8ab98 Merge tag 'iov_iter.3-5.15-2021-09-17' of git..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=165c1751300000
kernel config: https://syzkaller.appspot.com/x/.config?x=6d93fe4341f98704
dashboard link: https://syzkaller.appspot.com/bug?extid=ef17b5b364116518fd65
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+ef17b5...@syzkaller.appspotmail.com
usb 4-1: Direct firmware load for ueagle-atm/eagleI.fw failed with error -2
usb 4-1: Falling back to sysfs fallback for: ueagle-atm/eagleI.fw
==================================================================
BUG: KASAN: use-after-free in kernfs_root fs/kernfs/kernfs-internal.h:48 [inline]
BUG: KASAN: use-after-free in kernfs_add_one+0x480/0x4c0 fs/kernfs/dir.c:765
Read of size 8 at addr ffff88801b2ada28 by task kworker/1:4/7907
CPU: 1 PID: 7907 Comm: kworker/1:4 Not tainted 5.15.0-rc1-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events request_firmware_work_func
Call Trace:
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
print_address_description.constprop.0.cold+0x6c/0x309 mm/kasan/report.c:256
__kasan_report mm/kasan/report.c:442 [inline]
kasan_report.cold+0x83/0xdf mm/kasan/report.c:459
kernfs_root fs/kernfs/kernfs-internal.h:48 [inline]
kernfs_add_one+0x480/0x4c0 fs/kernfs/dir.c:765
kernfs_create_dir_ns+0x18b/0x220 fs/kernfs/dir.c:994
sysfs_create_dir_ns+0x128/0x290 fs/sysfs/dir.c:59
create_dir lib/kobject.c:89 [inline]
kobject_add_internal+0x2d2/0xa60 lib/kobject.c:255
kobject_add_varg lib/kobject.c:390 [inline]
kobject_add+0x150/0x1c0 lib/kobject.c:442
device_add+0x36a/0x21b0 drivers/base/core.c:3294
fw_load_sysfs_fallback drivers/base/firmware_loader/fallback.c:507 [inline]
fw_load_from_user_helper drivers/base/firmware_loader/fallback.c:583 [inline]
firmware_fallback_sysfs+0x408/0xe70 drivers/base/firmware_loader/fallback.c:659
_request_firmware+0xbb5/0x1040 drivers/base/firmware_loader/main.c:833
request_firmware_work_func+0xdd/0x230 drivers/base/firmware_loader/main.c:1079
process_one_work+0x9bf/0x16b0 kernel/workqueue.c:2297
worker_thread+0x658/0x11f0 kernel/workqueue.c:2444
kthread+0x3e5/0x4d0 kernel/kthread.c:319
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
Allocated by task 7907:
kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38
kasan_set_track mm/kasan/common.c:46 [inline]
set_alloc_info mm/kasan/common.c:434 [inline]
__kasan_slab_alloc+0x83/0xb0 mm/kasan/common.c:467
kasan_slab_alloc include/linux/kasan.h:254 [inline]
slab_post_alloc_hook mm/slab.h:519 [inline]
slab_alloc_node mm/slub.c:3206 [inline]
slab_alloc mm/slub.c:3214 [inline]
kmem_cache_alloc+0x209/0x390 mm/slub.c:3219
kmem_cache_zalloc include/linux/slab.h:711 [inline]
__kernfs_new_node+0xd4/0x8b0 fs/kernfs/dir.c:585
kernfs_new_node fs/kernfs/dir.c:647 [inline]
kernfs_create_dir_ns+0x9c/0x220 fs/kernfs/dir.c:984
sysfs_create_dir_ns+0x128/0x290 fs/sysfs/dir.c:59
create_dir lib/kobject.c:89 [inline]
kobject_add_internal+0x2d2/0xa60 lib/kobject.c:255
kobject_add_varg lib/kobject.c:390 [inline]
kobject_add+0x150/0x1c0 lib/kobject.c:442
device_add+0x36a/0x21b0 drivers/base/core.c:3294
fw_load_sysfs_fallback drivers/base/firmware_loader/fallback.c:507 [inline]
fw_load_from_user_helper drivers/base/firmware_loader/fallback.c:583 [inline]
firmware_fallback_sysfs+0x408/0xe70 drivers/base/firmware_loader/fallback.c:659
_request_firmware+0xbb5/0x1040 drivers/base/firmware_loader/main.c:833
request_firmware_work_func+0xdd/0x230 drivers/base/firmware_loader/main.c:1079
process_one_work+0x9bf/0x16b0 kernel/workqueue.c:2297
worker_thread+0x658/0x11f0 kernel/workqueue.c:2444
kthread+0x3e5/0x4d0 kernel/kthread.c:319
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
Freed by task 69:
kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38
kasan_set_track+0x1c/0x30 mm/kasan/common.c:46
kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:360
____kasan_slab_free mm/kasan/common.c:366 [inline]
____kasan_slab_free mm/kasan/common.c:328 [inline]
__kasan_slab_free+0xff/0x130 mm/kasan/common.c:374
kasan_slab_free include/linux/kasan.h:230 [inline]
slab_free_hook mm/slub.c:1700 [inline]
slab_free_freelist_hook+0x81/0x190 mm/slub.c:1725
slab_free mm/slub.c:3483 [inline]
kmem_cache_free+0x8a/0x5b0 mm/slub.c:3499
kernfs_put.part.0+0x2c4/0x540 fs/kernfs/dir.c:539
kernfs_put+0x42/0x50 fs/kernfs/dir.c:513
__kernfs_remove+0x727/0xab0 fs/kernfs/dir.c:1360
kernfs_remove+0x1d/0x30 fs/kernfs/dir.c:1373
sysfs_remove_dir+0xc1/0x100 fs/sysfs/dir.c:102
__kobject_del+0xe2/0x200 lib/kobject.c:620
kobject_del lib/kobject.c:643 [inline]
kobject_del+0x3c/0x60 lib/kobject.c:635
device_del+0x834/0xd60 drivers/base/core.c:3558
usb_disconnect.cold+0x4ba/0x78e drivers/usb/core/hub.c:2251
hub_port_connect drivers/usb/core/hub.c:5199 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5488 [inline]
port_event drivers/usb/core/hub.c:5634 [inline]
hub_event+0x1c9c/0x4330 drivers/usb/core/hub.c:5716
process_one_work+0x9bf/0x16b0 kernel/workqueue.c:2297
process_scheduled_works kernel/workqueue.c:2360 [inline]
worker_thread+0x85c/0x11f0 kernel/workqueue.c:2446
kthread+0x3e5/0x4d0 kernel/kthread.c:319
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
The buggy address belongs to the object at ffff88801b2ad9f8
which belongs to the cache kernfs_node_cache of size 168
The buggy address is located 48 bytes inside of
168-byte region [ffff88801b2ad9f8, ffff88801b2adaa0)
The buggy address belongs to the page:
page:ffffea00006cab40 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1b2ad
flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000200 ffffea0001cdb480 0000001100000008 ffff888010dc5a00
raw: 0000000000000000 0000000080110011 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 7198, ts 181519968528, free_ts 181515461864
prep_new_page mm/page_alloc.c:2424 [inline]
get_page_from_freelist+0xa72/0x2f80 mm/page_alloc.c:4153
__alloc_pages+0x1b2/0x500 mm/page_alloc.c:5375
alloc_pages+0x1a7/0x300 mm/mempolicy.c:2197
alloc_slab_page mm/slub.c:1763 [inline]
allocate_slab mm/slub.c:1900 [inline]
new_slab+0x319/0x490 mm/slub.c:1963
___slab_alloc+0x921/0xfe0 mm/slub.c:2994
__slab_alloc.constprop.0+0x4d/0xa0 mm/slub.c:3081
slab_alloc_node mm/slub.c:3172 [inline]
slab_alloc mm/slub.c:3214 [inline]
kmem_cache_alloc+0x365/0x390 mm/slub.c:3219
kmem_cache_zalloc include/linux/slab.h:711 [inline]
__kernfs_new_node+0xd4/0x8b0 fs/kernfs/dir.c:585
kernfs_new_node+0x93/0x120 fs/kernfs/dir.c:647
__kernfs_create_file+0x51/0x350 fs/kernfs/file.c:985
sysfs_add_file_mode_ns+0x226/0x540 fs/sysfs/file.c:317
create_files fs/sysfs/group.c:64 [inline]
internal_create_group+0x328/0xb20 fs/sysfs/group.c:149
netdev_queue_add_kobject net/core/net-sysfs.c:1616 [inline]
netdev_queue_update_kobjects+0x353/0x460 net/core/net-sysfs.c:1655
register_queue_kobjects net/core/net-sysfs.c:1716 [inline]
netdev_register_kobject+0x35a/0x430 net/core/net-sysfs.c:1959
register_netdevice+0xd33/0x1500 net/core/dev.c:10295
veth_newlink+0x58c/0xb20 drivers/net/veth.c:1726
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1338 [inline]
free_pcp_prepare+0x2c5/0x780 mm/page_alloc.c:1389
free_unref_page_prepare mm/page_alloc.c:3315 [inline]
free_unref_page+0x19/0x690 mm/page_alloc.c:3394
__unfreeze_partials+0x340/0x360 mm/slub.c:2495
qlink_free mm/kasan/quarantine.c:146 [inline]
qlist_free_all+0x5a/0xc0 mm/kasan/quarantine.c:165
kasan_quarantine_reduce+0x180/0x200 mm/kasan/quarantine.c:272
__kasan_slab_alloc+0x95/0xb0 mm/kasan/common.c:444
kasan_slab_alloc include/linux/kasan.h:254 [inline]
slab_post_alloc_hook mm/slab.h:519 [inline]
slab_alloc_node mm/slub.c:3206 [inline]
slab_alloc mm/slub.c:3214 [inline]
kmem_cache_alloc+0x209/0x390 mm/slub.c:3219
kmem_cache_zalloc include/linux/slab.h:711 [inline]
__kernfs_new_node+0xd4/0x8b0 fs/kernfs/dir.c:585
kernfs_new_node+0x93/0x120 fs/kernfs/dir.c:647
__kernfs_create_file+0x51/0x350 fs/kernfs/file.c:985
sysfs_add_file_mode_ns+0x226/0x540 fs/sysfs/file.c:317
create_files fs/sysfs/group.c:64 [inline]
internal_create_group+0x328/0xb20 fs/sysfs/group.c:149
internal_create_groups.part.0+0x90/0x140 fs/sysfs/group.c:189
internal_create_groups fs/sysfs/group.c:185 [inline]
sysfs_create_groups+0x25/0x50 fs/sysfs/group.c:215
device_add_groups drivers/base/core.c:2438 [inline]
device_add_attrs drivers/base/core.c:2597 [inline]
device_add+0x14ee/0x21b0 drivers/base/core.c:3310
netdev_register_kobject+0x181/0x430 net/core/net-sysfs.c:1955
Memory state around the buggy address:
ffff88801b2ad900: fc fc fa fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88801b2ad980: fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc fa
>ffff88801b2ada00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88801b2ada80: fb fb fb fb fc fc fc fc fc fc fc fc 00 00 00 00
ffff88801b2adb00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following issue on:
HEAD commit: ddf21bd8ab98 Merge tag 'iov_iter.3-5.15-2021-09-17' of git..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=165c1751300000
kernel config: https://syzkaller.appspot.com/x/.config?x=6d93fe4341f98704
dashboard link: https://syzkaller.appspot.com/bug?extid=ef17b5b364116518fd65
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+ef17b5...@syzkaller.appspotmail.com
usb 4-1: Direct firmware load for ueagle-atm/eagleI.fw failed with error -2
usb 4-1: Falling back to sysfs fallback for: ueagle-atm/eagleI.fw
==================================================================
BUG: KASAN: use-after-free in kernfs_root fs/kernfs/kernfs-internal.h:48 [inline]
BUG: KASAN: use-after-free in kernfs_add_one+0x480/0x4c0 fs/kernfs/dir.c:765
Read of size 8 at addr ffff88801b2ada28 by task kworker/1:4/7907
CPU: 1 PID: 7907 Comm: kworker/1:4 Not tainted 5.15.0-rc1-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events request_firmware_work_func
Call Trace:
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
print_address_description.constprop.0.cold+0x6c/0x309 mm/kasan/report.c:256
__kasan_report mm/kasan/report.c:442 [inline]
kasan_report.cold+0x83/0xdf mm/kasan/report.c:459
kernfs_root fs/kernfs/kernfs-internal.h:48 [inline]
kernfs_add_one+0x480/0x4c0 fs/kernfs/dir.c:765
kernfs_create_dir_ns+0x18b/0x220 fs/kernfs/dir.c:994
sysfs_create_dir_ns+0x128/0x290 fs/sysfs/dir.c:59
create_dir lib/kobject.c:89 [inline]
kobject_add_internal+0x2d2/0xa60 lib/kobject.c:255
kobject_add_varg lib/kobject.c:390 [inline]
kobject_add+0x150/0x1c0 lib/kobject.c:442
device_add+0x36a/0x21b0 drivers/base/core.c:3294
fw_load_sysfs_fallback drivers/base/firmware_loader/fallback.c:507 [inline]
fw_load_from_user_helper drivers/base/firmware_loader/fallback.c:583 [inline]
firmware_fallback_sysfs+0x408/0xe70 drivers/base/firmware_loader/fallback.c:659
_request_firmware+0xbb5/0x1040 drivers/base/firmware_loader/main.c:833
request_firmware_work_func+0xdd/0x230 drivers/base/firmware_loader/main.c:1079
process_one_work+0x9bf/0x16b0 kernel/workqueue.c:2297
worker_thread+0x658/0x11f0 kernel/workqueue.c:2444
kthread+0x3e5/0x4d0 kernel/kthread.c:319
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
Allocated by task 7907:
kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38
kasan_set_track mm/kasan/common.c:46 [inline]
set_alloc_info mm/kasan/common.c:434 [inline]
__kasan_slab_alloc+0x83/0xb0 mm/kasan/common.c:467
kasan_slab_alloc include/linux/kasan.h:254 [inline]
slab_post_alloc_hook mm/slab.h:519 [inline]
slab_alloc_node mm/slub.c:3206 [inline]
slab_alloc mm/slub.c:3214 [inline]
kmem_cache_alloc+0x209/0x390 mm/slub.c:3219
kmem_cache_zalloc include/linux/slab.h:711 [inline]
__kernfs_new_node+0xd4/0x8b0 fs/kernfs/dir.c:585
kernfs_new_node fs/kernfs/dir.c:647 [inline]
kernfs_create_dir_ns+0x9c/0x220 fs/kernfs/dir.c:984
sysfs_create_dir_ns+0x128/0x290 fs/sysfs/dir.c:59
create_dir lib/kobject.c:89 [inline]
kobject_add_internal+0x2d2/0xa60 lib/kobject.c:255
kobject_add_varg lib/kobject.c:390 [inline]
kobject_add+0x150/0x1c0 lib/kobject.c:442
device_add+0x36a/0x21b0 drivers/base/core.c:3294
fw_load_sysfs_fallback drivers/base/firmware_loader/fallback.c:507 [inline]
fw_load_from_user_helper drivers/base/firmware_loader/fallback.c:583 [inline]
firmware_fallback_sysfs+0x408/0xe70 drivers/base/firmware_loader/fallback.c:659
_request_firmware+0xbb5/0x1040 drivers/base/firmware_loader/main.c:833
request_firmware_work_func+0xdd/0x230 drivers/base/firmware_loader/main.c:1079
process_one_work+0x9bf/0x16b0 kernel/workqueue.c:2297
worker_thread+0x658/0x11f0 kernel/workqueue.c:2444
kthread+0x3e5/0x4d0 kernel/kthread.c:319
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
Freed by task 69:
kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38
kasan_set_track+0x1c/0x30 mm/kasan/common.c:46
kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:360
____kasan_slab_free mm/kasan/common.c:366 [inline]
____kasan_slab_free mm/kasan/common.c:328 [inline]
__kasan_slab_free+0xff/0x130 mm/kasan/common.c:374
kasan_slab_free include/linux/kasan.h:230 [inline]
slab_free_hook mm/slub.c:1700 [inline]
slab_free_freelist_hook+0x81/0x190 mm/slub.c:1725
slab_free mm/slub.c:3483 [inline]
kmem_cache_free+0x8a/0x5b0 mm/slub.c:3499
kernfs_put.part.0+0x2c4/0x540 fs/kernfs/dir.c:539
kernfs_put+0x42/0x50 fs/kernfs/dir.c:513
__kernfs_remove+0x727/0xab0 fs/kernfs/dir.c:1360
kernfs_remove+0x1d/0x30 fs/kernfs/dir.c:1373
sysfs_remove_dir+0xc1/0x100 fs/sysfs/dir.c:102
__kobject_del+0xe2/0x200 lib/kobject.c:620
kobject_del lib/kobject.c:643 [inline]
kobject_del+0x3c/0x60 lib/kobject.c:635
device_del+0x834/0xd60 drivers/base/core.c:3558
usb_disconnect.cold+0x4ba/0x78e drivers/usb/core/hub.c:2251
hub_port_connect drivers/usb/core/hub.c:5199 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5488 [inline]
port_event drivers/usb/core/hub.c:5634 [inline]
hub_event+0x1c9c/0x4330 drivers/usb/core/hub.c:5716
process_one_work+0x9bf/0x16b0 kernel/workqueue.c:2297
process_scheduled_works kernel/workqueue.c:2360 [inline]
worker_thread+0x85c/0x11f0 kernel/workqueue.c:2446
kthread+0x3e5/0x4d0 kernel/kthread.c:319
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
The buggy address belongs to the object at ffff88801b2ad9f8
which belongs to the cache kernfs_node_cache of size 168
The buggy address is located 48 bytes inside of
168-byte region [ffff88801b2ad9f8, ffff88801b2adaa0)
The buggy address belongs to the page:
page:ffffea00006cab40 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1b2ad
flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000200 ffffea0001cdb480 0000001100000008 ffff888010dc5a00
raw: 0000000000000000 0000000080110011 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 7198, ts 181519968528, free_ts 181515461864
prep_new_page mm/page_alloc.c:2424 [inline]
get_page_from_freelist+0xa72/0x2f80 mm/page_alloc.c:4153
__alloc_pages+0x1b2/0x500 mm/page_alloc.c:5375
alloc_pages+0x1a7/0x300 mm/mempolicy.c:2197
alloc_slab_page mm/slub.c:1763 [inline]
allocate_slab mm/slub.c:1900 [inline]
new_slab+0x319/0x490 mm/slub.c:1963
___slab_alloc+0x921/0xfe0 mm/slub.c:2994
__slab_alloc.constprop.0+0x4d/0xa0 mm/slub.c:3081
slab_alloc_node mm/slub.c:3172 [inline]
slab_alloc mm/slub.c:3214 [inline]
kmem_cache_alloc+0x365/0x390 mm/slub.c:3219
kmem_cache_zalloc include/linux/slab.h:711 [inline]
__kernfs_new_node+0xd4/0x8b0 fs/kernfs/dir.c:585
kernfs_new_node+0x93/0x120 fs/kernfs/dir.c:647
__kernfs_create_file+0x51/0x350 fs/kernfs/file.c:985
sysfs_add_file_mode_ns+0x226/0x540 fs/sysfs/file.c:317
create_files fs/sysfs/group.c:64 [inline]
internal_create_group+0x328/0xb20 fs/sysfs/group.c:149
netdev_queue_add_kobject net/core/net-sysfs.c:1616 [inline]
netdev_queue_update_kobjects+0x353/0x460 net/core/net-sysfs.c:1655
register_queue_kobjects net/core/net-sysfs.c:1716 [inline]
netdev_register_kobject+0x35a/0x430 net/core/net-sysfs.c:1959
register_netdevice+0xd33/0x1500 net/core/dev.c:10295
veth_newlink+0x58c/0xb20 drivers/net/veth.c:1726
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1338 [inline]
free_pcp_prepare+0x2c5/0x780 mm/page_alloc.c:1389
free_unref_page_prepare mm/page_alloc.c:3315 [inline]
free_unref_page+0x19/0x690 mm/page_alloc.c:3394
__unfreeze_partials+0x340/0x360 mm/slub.c:2495
qlink_free mm/kasan/quarantine.c:146 [inline]
qlist_free_all+0x5a/0xc0 mm/kasan/quarantine.c:165
kasan_quarantine_reduce+0x180/0x200 mm/kasan/quarantine.c:272
__kasan_slab_alloc+0x95/0xb0 mm/kasan/common.c:444
kasan_slab_alloc include/linux/kasan.h:254 [inline]
slab_post_alloc_hook mm/slab.h:519 [inline]
slab_alloc_node mm/slub.c:3206 [inline]
slab_alloc mm/slub.c:3214 [inline]
kmem_cache_alloc+0x209/0x390 mm/slub.c:3219
kmem_cache_zalloc include/linux/slab.h:711 [inline]
__kernfs_new_node+0xd4/0x8b0 fs/kernfs/dir.c:585
kernfs_new_node+0x93/0x120 fs/kernfs/dir.c:647
__kernfs_create_file+0x51/0x350 fs/kernfs/file.c:985
sysfs_add_file_mode_ns+0x226/0x540 fs/sysfs/file.c:317
create_files fs/sysfs/group.c:64 [inline]
internal_create_group+0x328/0xb20 fs/sysfs/group.c:149
internal_create_groups.part.0+0x90/0x140 fs/sysfs/group.c:189
internal_create_groups fs/sysfs/group.c:185 [inline]
sysfs_create_groups+0x25/0x50 fs/sysfs/group.c:215
device_add_groups drivers/base/core.c:2438 [inline]
device_add_attrs drivers/base/core.c:2597 [inline]
device_add+0x14ee/0x21b0 drivers/base/core.c:3310
netdev_register_kobject+0x181/0x430 net/core/net-sysfs.c:1955
Memory state around the buggy address:
ffff88801b2ad900: fc fc fa fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88801b2ad980: fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc fa
>ffff88801b2ada00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88801b2ada80: fb fb fb fb fc fc fc fc fc fc fc fc 00 00 00 00
ffff88801b2adb00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Oct 18, 2021, 9:22:27 AM10/18/21
to gre...@linuxfoundation.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com, t...@kernel.org
syzbot has found a reproducer for the following issue on:
HEAD commit: cf52ad5ff16c Merge tag 'driver-core-5.15-rc6' of git://git..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=16db5734b00000
kernel config: https://syzkaller.appspot.com/x/.config?x=9479508d7bb83ad9
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16788f94b00000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+ef17b5...@syzkaller.appspotmail.com
usb 1-1: Direct firmware load for ueagle-atm/eagleI.fw failed with error -2
usb 1-1: Falling back to sysfs fallback for: ueagle-atm/eagleI.fw
CPU: 1 PID: 20 Comm: kworker/1:0 Not tainted 5.15.0-rc5-syzkaller #0
get_device_parent+0x3de/0x590 drivers/base/core.c:3005
device_add+0x2a8/0x1ee0 drivers/base/core.c:3317
get_device_parent+0x3de/0x590 drivers/base/core.c:3005
device_add+0x2a8/0x1ee0 drivers/base/core.c:3317
kernfs_remove+0x1d/0x30 fs/kernfs/dir.c:1385
dpm_sysfs_add+0x241/0x290 drivers/base/power/sysfs.c:707
device_add+0xac4/0x1ee0 drivers/base/core.c:3353
usb_create_ep_devs+0x15c/0x2a0 drivers/usb/core/endpoint.c:169
usb_new_device.cold+0xc7c/0x108e drivers/usb/core/hub.c:2591
release_pages+0x830/0x20b0 mm/swap.c:963
tlb_batch_pages_flush mm/mmu_gather.c:49 [inline]
tlb_flush_mmu_free mm/mmu_gather.c:242 [inline]
tlb_flush_mmu mm/mmu_gather.c:249 [inline]
tlb_finish_mmu+0x165/0x8c0 mm/mmu_gather.c:340
exit_mmap+0x1ea/0x630 mm/mmap.c:3173
__mmput+0x122/0x4b0 kernel/fork.c:1115
mmput+0x58/0x60 kernel/fork.c:1136
free_bprm+0x65/0x2e0 fs/exec.c:1483
kernel_execve+0x380/0x460 fs/exec.c:1980
call_usermodehelper_exec_async+0x2e3/0x580 kernel/umh.c:112
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
Memory state around the buggy address:
ffff88807d1cf100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88807d1cf180: fb fb fc fc fc fc fc fc fc fc fa fb fb fb fb fb
>ffff88807d1cf200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc
^
ffff88807d1cf280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88807d1cf300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
HEAD commit: cf52ad5ff16c Merge tag 'driver-core-5.15-rc6' of git://git..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=16db5734b00000
kernel config: https://syzkaller.appspot.com/x/.config?x=9479508d7bb83ad9
dashboard link: https://syzkaller.appspot.com/bug?extid=ef17b5b364116518fd65
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11af3768b00000
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16788f94b00000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+ef17b5...@syzkaller.appspotmail.com
usb 1-1: Falling back to sysfs fallback for: ueagle-atm/eagleI.fw
==================================================================
BUG: KASAN: use-after-free in kernfs_root fs/kernfs/kernfs-internal.h:48 [inline]
BUG: KASAN: use-after-free in kernfs_add_one+0x480/0x4c0 fs/kernfs/dir.c:765
Read of size 8 at addr ffff88807d1cf200 by task kworker/1:0/20
BUG: KASAN: use-after-free in kernfs_root fs/kernfs/kernfs-internal.h:48 [inline]
BUG: KASAN: use-after-free in kernfs_add_one+0x480/0x4c0 fs/kernfs/dir.c:765
CPU: 1 PID: 20 Comm: kworker/1:0 Not tainted 5.15.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events request_firmware_work_func
Call Trace:
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
print_address_description.constprop.0.cold+0x6c/0x309 mm/kasan/report.c:256
__kasan_report mm/kasan/report.c:442 [inline]
kasan_report.cold+0x83/0xdf mm/kasan/report.c:459
kernfs_root fs/kernfs/kernfs-internal.h:48 [inline]
kernfs_add_one+0x480/0x4c0 fs/kernfs/dir.c:765
kernfs_create_dir_ns+0x18b/0x220 fs/kernfs/dir.c:994
sysfs_create_dir_ns+0x128/0x290 fs/sysfs/dir.c:59
create_dir lib/kobject.c:89 [inline]
kobject_add_internal+0x2d2/0xa60 lib/kobject.c:255
kobject_add_varg lib/kobject.c:390 [inline]
kobject_add+0x150/0x1c0 lib/kobject.c:442
class_dir_create_and_add drivers/base/core.c:2950 [inline]
Workqueue: events request_firmware_work_func
Call Trace:
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
print_address_description.constprop.0.cold+0x6c/0x309 mm/kasan/report.c:256
__kasan_report mm/kasan/report.c:442 [inline]
kasan_report.cold+0x83/0xdf mm/kasan/report.c:459
kernfs_root fs/kernfs/kernfs-internal.h:48 [inline]
kernfs_add_one+0x480/0x4c0 fs/kernfs/dir.c:765
kernfs_create_dir_ns+0x18b/0x220 fs/kernfs/dir.c:994
sysfs_create_dir_ns+0x128/0x290 fs/sysfs/dir.c:59
create_dir lib/kobject.c:89 [inline]
kobject_add_internal+0x2d2/0xa60 lib/kobject.c:255
kobject_add_varg lib/kobject.c:390 [inline]
kobject_add+0x150/0x1c0 lib/kobject.c:442
get_device_parent+0x3de/0x590 drivers/base/core.c:3005
device_add+0x2a8/0x1ee0 drivers/base/core.c:3317
fw_load_sysfs_fallback drivers/base/firmware_loader/fallback.c:507 [inline]
fw_load_from_user_helper drivers/base/firmware_loader/fallback.c:583 [inline]
firmware_fallback_sysfs+0x408/0xe70 drivers/base/firmware_loader/fallback.c:659
_request_firmware+0xbb5/0x1040 drivers/base/firmware_loader/main.c:833
request_firmware_work_func+0xdd/0x230 drivers/base/firmware_loader/main.c:1079
process_one_work+0x9bf/0x16b0 kernel/workqueue.c:2297
worker_thread+0x658/0x11f0 kernel/workqueue.c:2444
kthread+0x3e5/0x4d0 kernel/kthread.c:319
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
Allocated by task 20:
fw_load_from_user_helper drivers/base/firmware_loader/fallback.c:583 [inline]
firmware_fallback_sysfs+0x408/0xe70 drivers/base/firmware_loader/fallback.c:659
_request_firmware+0xbb5/0x1040 drivers/base/firmware_loader/main.c:833
request_firmware_work_func+0xdd/0x230 drivers/base/firmware_loader/main.c:1079
process_one_work+0x9bf/0x16b0 kernel/workqueue.c:2297
worker_thread+0x658/0x11f0 kernel/workqueue.c:2444
kthread+0x3e5/0x4d0 kernel/kthread.c:319
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38
kasan_set_track mm/kasan/common.c:46 [inline]
set_alloc_info mm/kasan/common.c:434 [inline]
__kasan_slab_alloc+0x83/0xb0 mm/kasan/common.c:467
kasan_slab_alloc include/linux/kasan.h:254 [inline]
slab_post_alloc_hook mm/slab.h:519 [inline]
slab_alloc_node mm/slub.c:3206 [inline]
slab_alloc mm/slub.c:3214 [inline]
kmem_cache_alloc+0x209/0x390 mm/slub.c:3219
kmem_cache_zalloc include/linux/slab.h:711 [inline]
__kernfs_new_node+0xd4/0x8b0 fs/kernfs/dir.c:585
kernfs_new_node fs/kernfs/dir.c:647 [inline]
kernfs_create_dir_ns+0x9c/0x220 fs/kernfs/dir.c:984
sysfs_create_dir_ns+0x128/0x290 fs/sysfs/dir.c:59
create_dir lib/kobject.c:89 [inline]
kobject_add_internal+0x2d2/0xa60 lib/kobject.c:255
kobject_add_varg lib/kobject.c:390 [inline]
kobject_add+0x150/0x1c0 lib/kobject.c:442
class_dir_create_and_add drivers/base/core.c:2950 [inline]
kasan_set_track mm/kasan/common.c:46 [inline]
set_alloc_info mm/kasan/common.c:434 [inline]
__kasan_slab_alloc+0x83/0xb0 mm/kasan/common.c:467
kasan_slab_alloc include/linux/kasan.h:254 [inline]
slab_post_alloc_hook mm/slab.h:519 [inline]
slab_alloc_node mm/slub.c:3206 [inline]
slab_alloc mm/slub.c:3214 [inline]
kmem_cache_alloc+0x209/0x390 mm/slub.c:3219
kmem_cache_zalloc include/linux/slab.h:711 [inline]
__kernfs_new_node+0xd4/0x8b0 fs/kernfs/dir.c:585
kernfs_new_node fs/kernfs/dir.c:647 [inline]
kernfs_create_dir_ns+0x9c/0x220 fs/kernfs/dir.c:984
sysfs_create_dir_ns+0x128/0x290 fs/sysfs/dir.c:59
create_dir lib/kobject.c:89 [inline]
kobject_add_internal+0x2d2/0xa60 lib/kobject.c:255
kobject_add_varg lib/kobject.c:390 [inline]
kobject_add+0x150/0x1c0 lib/kobject.c:442
get_device_parent+0x3de/0x590 drivers/base/core.c:3005
device_add+0x2a8/0x1ee0 drivers/base/core.c:3317
fw_load_sysfs_fallback drivers/base/firmware_loader/fallback.c:507 [inline]
fw_load_from_user_helper drivers/base/firmware_loader/fallback.c:583 [inline]
firmware_fallback_sysfs+0x408/0xe70 drivers/base/firmware_loader/fallback.c:659
_request_firmware+0xbb5/0x1040 drivers/base/firmware_loader/main.c:833
request_firmware_work_func+0xdd/0x230 drivers/base/firmware_loader/main.c:1079
process_one_work+0x9bf/0x16b0 kernel/workqueue.c:2297
worker_thread+0x658/0x11f0 kernel/workqueue.c:2444
kthread+0x3e5/0x4d0 kernel/kthread.c:319
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
Freed by task 1053:
fw_load_from_user_helper drivers/base/firmware_loader/fallback.c:583 [inline]
firmware_fallback_sysfs+0x408/0xe70 drivers/base/firmware_loader/fallback.c:659
_request_firmware+0xbb5/0x1040 drivers/base/firmware_loader/main.c:833
request_firmware_work_func+0xdd/0x230 drivers/base/firmware_loader/main.c:1079
process_one_work+0x9bf/0x16b0 kernel/workqueue.c:2297
worker_thread+0x658/0x11f0 kernel/workqueue.c:2444
kthread+0x3e5/0x4d0 kernel/kthread.c:319
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38
kasan_set_track+0x1c/0x30 mm/kasan/common.c:46
kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:360
____kasan_slab_free mm/kasan/common.c:366 [inline]
____kasan_slab_free mm/kasan/common.c:328 [inline]
__kasan_slab_free+0xff/0x130 mm/kasan/common.c:374
kasan_slab_free include/linux/kasan.h:230 [inline]
slab_free_hook mm/slub.c:1700 [inline]
slab_free_freelist_hook+0x81/0x190 mm/slub.c:1725
slab_free mm/slub.c:3483 [inline]
kmem_cache_free+0x8a/0x5b0 mm/slub.c:3499
kernfs_put.part.0+0x2c4/0x540 fs/kernfs/dir.c:539
kernfs_put+0x42/0x50 fs/kernfs/dir.c:513
__kernfs_remove+0x727/0xab0 fs/kernfs/dir.c:1372
kasan_set_track+0x1c/0x30 mm/kasan/common.c:46
kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:360
____kasan_slab_free mm/kasan/common.c:366 [inline]
____kasan_slab_free mm/kasan/common.c:328 [inline]
__kasan_slab_free+0xff/0x130 mm/kasan/common.c:374
kasan_slab_free include/linux/kasan.h:230 [inline]
slab_free_hook mm/slub.c:1700 [inline]
slab_free_freelist_hook+0x81/0x190 mm/slub.c:1725
slab_free mm/slub.c:3483 [inline]
kmem_cache_free+0x8a/0x5b0 mm/slub.c:3499
kernfs_put.part.0+0x2c4/0x540 fs/kernfs/dir.c:539
kernfs_put+0x42/0x50 fs/kernfs/dir.c:513
kernfs_remove+0x1d/0x30 fs/kernfs/dir.c:1385
sysfs_remove_dir+0xc1/0x100 fs/sysfs/dir.c:102
__kobject_del+0xe2/0x200 lib/kobject.c:620
kobject_del lib/kobject.c:643 [inline]
kobject_del+0x3c/0x60 lib/kobject.c:635
device_del+0x834/0xd60 drivers/base/core.c:3595
__kobject_del+0xe2/0x200 lib/kobject.c:620
kobject_del lib/kobject.c:643 [inline]
kobject_del+0x3c/0x60 lib/kobject.c:635
usb_disconnect.cold+0x4ba/0x78e drivers/usb/core/hub.c:2251
hub_port_connect drivers/usb/core/hub.c:5199 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5488 [inline]
port_event drivers/usb/core/hub.c:5634 [inline]
hub_event+0x1c9c/0x4330 drivers/usb/core/hub.c:5716
process_one_work+0x9bf/0x16b0 kernel/workqueue.c:2297
process_scheduled_works kernel/workqueue.c:2360 [inline]
worker_thread+0x85c/0x11f0 kernel/workqueue.c:2446
kthread+0x3e5/0x4d0 kernel/kthread.c:319
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
The buggy address belongs to the object at ffff88807d1cf1d0
hub_port_connect drivers/usb/core/hub.c:5199 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5488 [inline]
port_event drivers/usb/core/hub.c:5634 [inline]
hub_event+0x1c9c/0x4330 drivers/usb/core/hub.c:5716
process_one_work+0x9bf/0x16b0 kernel/workqueue.c:2297
process_scheduled_works kernel/workqueue.c:2360 [inline]
worker_thread+0x85c/0x11f0 kernel/workqueue.c:2446
kthread+0x3e5/0x4d0 kernel/kthread.c:319
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
which belongs to the cache kernfs_node_cache of size 168
The buggy address is located 48 bytes inside of
168-byte region [ffff88807d1cf1d0, ffff88807d1cf278)
The buggy address is located 48 bytes inside of
The buggy address belongs to the page:
page:ffffea0001f473c0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7d1cf
flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000200 0000000000000000 dead000000000122 ffff888010dc5a00
raw: 0000000000000000 0000000080110011 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 1053, ts 267312666352, free_ts 267295630227
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
prep_new_page mm/page_alloc.c:2424 [inline]
get_page_from_freelist+0xa72/0x2f80 mm/page_alloc.c:4153
__alloc_pages+0x1b2/0x500 mm/page_alloc.c:5375
alloc_pages+0x1a7/0x300 mm/mempolicy.c:2197
alloc_slab_page mm/slub.c:1763 [inline]
allocate_slab mm/slub.c:1900 [inline]
new_slab+0x319/0x490 mm/slub.c:1963
___slab_alloc+0x921/0xfe0 mm/slub.c:2994
__slab_alloc.constprop.0+0x4d/0xa0 mm/slub.c:3081
slab_alloc_node mm/slub.c:3172 [inline]
slab_alloc mm/slub.c:3214 [inline]
kmem_cache_alloc+0x365/0x390 mm/slub.c:3219
kmem_cache_zalloc include/linux/slab.h:711 [inline]
__kernfs_new_node+0xd4/0x8b0 fs/kernfs/dir.c:585
kernfs_new_node+0x93/0x120 fs/kernfs/dir.c:647
__kernfs_create_file+0x51/0x350 fs/kernfs/file.c:985
sysfs_add_file_mode_ns+0x226/0x540 fs/sysfs/file.c:317
sysfs_merge_group+0x198/0x320 fs/sysfs/group.c:343
get_page_from_freelist+0xa72/0x2f80 mm/page_alloc.c:4153
__alloc_pages+0x1b2/0x500 mm/page_alloc.c:5375
alloc_pages+0x1a7/0x300 mm/mempolicy.c:2197
alloc_slab_page mm/slub.c:1763 [inline]
allocate_slab mm/slub.c:1900 [inline]
new_slab+0x319/0x490 mm/slub.c:1963
___slab_alloc+0x921/0xfe0 mm/slub.c:2994
__slab_alloc.constprop.0+0x4d/0xa0 mm/slub.c:3081
slab_alloc_node mm/slub.c:3172 [inline]
slab_alloc mm/slub.c:3214 [inline]
kmem_cache_alloc+0x365/0x390 mm/slub.c:3219
kmem_cache_zalloc include/linux/slab.h:711 [inline]
__kernfs_new_node+0xd4/0x8b0 fs/kernfs/dir.c:585
kernfs_new_node+0x93/0x120 fs/kernfs/dir.c:647
__kernfs_create_file+0x51/0x350 fs/kernfs/file.c:985
sysfs_add_file_mode_ns+0x226/0x540 fs/sysfs/file.c:317
dpm_sysfs_add+0x241/0x290 drivers/base/power/sysfs.c:707
device_add+0xac4/0x1ee0 drivers/base/core.c:3353
usb_create_ep_devs+0x15c/0x2a0 drivers/usb/core/endpoint.c:169
usb_new_device.cold+0xc7c/0x108e drivers/usb/core/hub.c:2591
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1338 [inline]
free_pcp_prepare+0x2c5/0x780 mm/page_alloc.c:1389
free_unref_page_prepare mm/page_alloc.c:3315 [inline]
free_unref_page_list+0x1a9/0xfa0 mm/page_alloc.c:3431
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1338 [inline]
free_pcp_prepare+0x2c5/0x780 mm/page_alloc.c:1389
free_unref_page_prepare mm/page_alloc.c:3315 [inline]
release_pages+0x830/0x20b0 mm/swap.c:963
tlb_batch_pages_flush mm/mmu_gather.c:49 [inline]
tlb_flush_mmu_free mm/mmu_gather.c:242 [inline]
tlb_flush_mmu mm/mmu_gather.c:249 [inline]
tlb_finish_mmu+0x165/0x8c0 mm/mmu_gather.c:340
exit_mmap+0x1ea/0x630 mm/mmap.c:3173
__mmput+0x122/0x4b0 kernel/fork.c:1115
mmput+0x58/0x60 kernel/fork.c:1136
free_bprm+0x65/0x2e0 fs/exec.c:1483
kernel_execve+0x380/0x460 fs/exec.c:1980
call_usermodehelper_exec_async+0x2e3/0x580 kernel/umh.c:112
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
Memory state around the buggy address:
ffff88807d1cf180: fb fb fc fc fc fc fc fc fc fc fa fb fb fb fb fb
>ffff88807d1cf200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc
^
ffff88807d1cf280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88807d1cf300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
Hillf Danton
Oct 22, 2022, 8:34:27 AM10/22/22
to syzbot, linux-...@vger.kernel.org, syzkall...@googlegroups.com
On 18 Oct 2021 06:22:25 -0700
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git cf52ad5ff16c
--- a/drivers/usb/atm/ueagle-atm.c
+++ b/drivers/usb/atm/ueagle-atm.c
@@ -597,9 +597,8 @@ static int uea_send_modem_cmd(struct usb
}
static void uea_upload_pre_firmware(const struct firmware *fw_entry,
- void *context)
+ struct usb_device *usb)
{
- struct usb_device *usb = context;
const u8 *pfw;
u8 value;
u32 crc = 0;
@@ -679,6 +678,7 @@ static int uea_load_firmware(struct usb_
{
int ret;
char *fw_name = EAGLE_FIRMWARE;
+ const struct firmware *fw;
uea_enters(usb);
uea_info(usb, "pre-firmware device, uploading firmware\n");
@@ -701,13 +701,13 @@ static int uea_load_firmware(struct usb_
break;
}
- ret = request_firmware_nowait(THIS_MODULE, 1, fw_name, &usb->dev,
- GFP_KERNEL, usb,
- uea_upload_pre_firmware);
+ ret = request_firmware(&fw, fw_name, &usb->dev);
if (ret)
uea_err(usb, "firmware %s is not available\n", fw_name);
- else
+ else {
uea_info(usb, "loading firmware %s\n", fw_name);
+ uea_upload_pre_firmware(fw, usb);
+ }
uea_leaves(usb);
return ret;
--
> syzbot has found a reproducer for the following issue on:
>
> HEAD commit: cf52ad5ff16c Merge tag 'driver-core-5.15-rc6' of git://git..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=16db5734b00000
> kernel config: https://syzkaller.appspot.com/x/.config?x=9479508d7bb83ad9
> dashboard link: https://syzkaller.appspot.com/bug?extid=ef17b5b364116518fd65
> compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11af3768b00000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16788f94b00000
Load firmware in sync manner to fix uaf.
>
> HEAD commit: cf52ad5ff16c Merge tag 'driver-core-5.15-rc6' of git://git..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=16db5734b00000
> kernel config: https://syzkaller.appspot.com/x/.config?x=9479508d7bb83ad9
> dashboard link: https://syzkaller.appspot.com/bug?extid=ef17b5b364116518fd65
> compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11af3768b00000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16788f94b00000
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git cf52ad5ff16c
--- a/drivers/usb/atm/ueagle-atm.c
+++ b/drivers/usb/atm/ueagle-atm.c
@@ -597,9 +597,8 @@ static int uea_send_modem_cmd(struct usb
}
static void uea_upload_pre_firmware(const struct firmware *fw_entry,
- void *context)
+ struct usb_device *usb)
{
- struct usb_device *usb = context;
const u8 *pfw;
u8 value;
u32 crc = 0;
@@ -679,6 +678,7 @@ static int uea_load_firmware(struct usb_
{
int ret;
char *fw_name = EAGLE_FIRMWARE;
+ const struct firmware *fw;
uea_enters(usb);
uea_info(usb, "pre-firmware device, uploading firmware\n");
@@ -701,13 +701,13 @@ static int uea_load_firmware(struct usb_
break;
}
- ret = request_firmware_nowait(THIS_MODULE, 1, fw_name, &usb->dev,
- GFP_KERNEL, usb,
- uea_upload_pre_firmware);
+ ret = request_firmware(&fw, fw_name, &usb->dev);
if (ret)
uea_err(usb, "firmware %s is not available\n", fw_name);
- else
+ else {
uea_info(usb, "loading firmware %s\n", fw_name);
+ uea_upload_pre_firmware(fw, usb);
+ }
uea_leaves(usb);
return ret;
--
syzbot
Oct 22, 2022, 12:44:26 PM10/22/22
to hda...@sina.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
UBSAN: object-size-mismatch in wg_xmit
================================================================================
UBSAN: object-size-mismatch in ./include/linux/skbuff.h:2048:28
member access within address ffffc900000074c0 with insufficient space
for an object of type 'struct sk_buff'
CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.15.0-rc5-syzkaller-00376-gcf52ad5ff16c-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/11/2022
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106
ubsan_epilogue lib/ubsan.c:151 [inline]
handle_object_size_mismatch lib/ubsan.c:232 [inline]
ubsan_type_mismatch_common+0x1e6/0x390 lib/ubsan.c:245
__ubsan_handle_type_mismatch_v1+0x4a/0x60 lib/ubsan.c:274
__skb_queue_before include/linux/skbuff.h:2048 [inline]
__skb_queue_tail include/linux/skbuff.h:2081 [inline]
wg_xmit+0x565/0xda0 drivers/net/wireguard/device.c:182
__netdev_start_xmit include/linux/netdevice.h:4988 [inline]
netdev_start_xmit+0x7b/0x140 include/linux/netdevice.h:5002
xmit_one net/core/dev.c:3576 [inline]
dev_hard_start_xmit+0x182/0x2e0 net/core/dev.c:3592
__dev_queue_xmit+0x1497/0x2140 net/core/dev.c:4202
neigh_output include/net/neighbour.h:510 [inline]
ip6_finish_output2+0xf45/0x1300 net/ipv6/ip6_output.c:126
dst_output include/net/dst.h:450 [inline]
NF_HOOK include/linux/netfilter.h:307 [inline]
ndisc_send_skb+0x8c3/0xdd0 net/ipv6/ndisc.c:508
addrconf_rs_timer+0x38c/0x5f0 net/ipv6/addrconf.c:3893
call_timer_fn+0xf6/0x210 kernel/time/timer.c:1421
expire_timers kernel/time/timer.c:1466 [inline]
__run_timers+0x685/0x7e0 kernel/time/timer.c:1734
run_timer_softirq+0x63/0xf0 kernel/time/timer.c:1747
__do_softirq+0x382/0x793 kernel/softirq.c:558
__irq_exit_rcu+0xec/0x170 kernel/softirq.c:636
irq_exit_rcu+0x5/0x20 kernel/softirq.c:648
sysvec_apic_timer_interrupt+0x91/0xb0 arch/x86/kernel/apic/apic.c:1097
</IRQ>
asm_sysvec_apic_timer_interrupt+0x12/0x20
RIP: 0010:native_save_fl arch/x86/include/asm/irqflags.h:22 [inline]
RIP: 0010:arch_local_save_flags arch/x86/include/asm/irqflags.h:70 [inline]
RIP: 0010:arch_irqs_disabled arch/x86/include/asm/irqflags.h:132 [inline]
RIP: 0010:acpi_safe_halt+0xbc/0x160 drivers/acpi/processor_idle.c:110
Code: 83 e6 08 31 ff e8 24 39 89 f8 48 83 e3 08 75 73 4c 8d 64 24 20 e8 a4 1b 8f f8 eb 0c e8 4d 34 89 f8 0f 00 2d 16 3b c6 00 fb f4 <4c> 89 e3 48 c1 eb 03 42 80 3c 33 00 74 08 4c 89 e7 e8 9e c6 c8 f8
RSP: 0018:ffffffff8b407bc0 EFLAGS: 00000282
RAX: d4f825addbe56c00 RBX: 0000000000000000 RCX: ffffffff8f975703
RDX: ffffffff8b4bbf58 RSI: ffffffff894c55a0 RDI: ffffffff89a4bbe0
RBP: ffffffff8b407c40 R08: ffffffff81787bf0 R09: fffffbfff16976a9
R10: fffffbfff16976a9 R11: 1ffffffff16976a8 R12: ffffffff8b407be0
R13: ffff8880157d0064 R14: dffffc0000000000 R15: 1ffffffff1680f78
acpi_idle_enter+0x371/0x520 drivers/acpi/processor_idle.c:688
cpuidle_enter_state+0x2a8/0xaf0 drivers/cpuidle/cpuidle.c:237
cpuidle_enter+0x59/0x90 drivers/cpuidle/cpuidle.c:351
cpuidle_idle_call kernel/sched/idle.c:239 [inline]
do_idle+0x389/0x590 kernel/sched/idle.c:306
cpu_startup_entry+0x15/0x20 kernel/sched/idle.c:403
start_kernel+0x4b9/0x568 init/main.c:1142
secondary_startup_64_no_verify+0xb1/0xbb
================================================================================
----------------
Code disassembly (best guess):
0: 83 e6 08 and $0x8,%esi
3: 31 ff xor %edi,%edi
5: e8 24 39 89 f8 callq 0xf889392e
a: 48 83 e3 08 and $0x8,%rbx
e: 75 73 jne 0x83
10: 4c 8d 64 24 20 lea 0x20(%rsp),%r12
15: e8 a4 1b 8f f8 callq 0xf88f1bbe
1a: eb 0c jmp 0x28
1c: e8 4d 34 89 f8 callq 0xf889346e
21: 0f 00 2d 16 3b c6 00 verw 0xc63b16(%rip) # 0xc63b3e
28: fb sti
29: f4 hlt
* 2a: 4c 89 e3 mov %r12,%rbx <-- trapping instruction
2d: 48 c1 eb 03 shr $0x3,%rbx
31: 42 80 3c 33 00 cmpb $0x0,(%rbx,%r14,1)
36: 74 08 je 0x40
38: 4c 89 e7 mov %r12,%rdi
3b: e8 9e c6 c8 f8 callq 0xf8c8c6de
Tested on:
commit: cf52ad5f Merge tag 'driver-core-5.15-rc6' of git://git..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=10f1b16a880000
kernel config: https://syzkaller.appspot.com/x/.config?x=e25c48e302d3bf01
dashboard link: https://syzkaller.appspot.com/bug?extid=ef17b5b364116518fd65
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=14ca1022880000
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
UBSAN: object-size-mismatch in wg_xmit
================================================================================
UBSAN: object-size-mismatch in ./include/linux/skbuff.h:2048:28
member access within address ffffc900000074c0 with insufficient space
for an object of type 'struct sk_buff'
CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.15.0-rc5-syzkaller-00376-gcf52ad5ff16c-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/11/2022
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106
ubsan_epilogue lib/ubsan.c:151 [inline]
handle_object_size_mismatch lib/ubsan.c:232 [inline]
ubsan_type_mismatch_common+0x1e6/0x390 lib/ubsan.c:245
__ubsan_handle_type_mismatch_v1+0x4a/0x60 lib/ubsan.c:274
__skb_queue_before include/linux/skbuff.h:2048 [inline]
__skb_queue_tail include/linux/skbuff.h:2081 [inline]
wg_xmit+0x565/0xda0 drivers/net/wireguard/device.c:182
__netdev_start_xmit include/linux/netdevice.h:4988 [inline]
netdev_start_xmit+0x7b/0x140 include/linux/netdevice.h:5002
xmit_one net/core/dev.c:3576 [inline]
dev_hard_start_xmit+0x182/0x2e0 net/core/dev.c:3592
__dev_queue_xmit+0x1497/0x2140 net/core/dev.c:4202
neigh_output include/net/neighbour.h:510 [inline]
ip6_finish_output2+0xf45/0x1300 net/ipv6/ip6_output.c:126
dst_output include/net/dst.h:450 [inline]
NF_HOOK include/linux/netfilter.h:307 [inline]
ndisc_send_skb+0x8c3/0xdd0 net/ipv6/ndisc.c:508
addrconf_rs_timer+0x38c/0x5f0 net/ipv6/addrconf.c:3893
call_timer_fn+0xf6/0x210 kernel/time/timer.c:1421
expire_timers kernel/time/timer.c:1466 [inline]
__run_timers+0x685/0x7e0 kernel/time/timer.c:1734
run_timer_softirq+0x63/0xf0 kernel/time/timer.c:1747
__do_softirq+0x382/0x793 kernel/softirq.c:558
__irq_exit_rcu+0xec/0x170 kernel/softirq.c:636
irq_exit_rcu+0x5/0x20 kernel/softirq.c:648
sysvec_apic_timer_interrupt+0x91/0xb0 arch/x86/kernel/apic/apic.c:1097
</IRQ>
asm_sysvec_apic_timer_interrupt+0x12/0x20
RIP: 0010:native_save_fl arch/x86/include/asm/irqflags.h:22 [inline]
RIP: 0010:arch_local_save_flags arch/x86/include/asm/irqflags.h:70 [inline]
RIP: 0010:arch_irqs_disabled arch/x86/include/asm/irqflags.h:132 [inline]
RIP: 0010:acpi_safe_halt+0xbc/0x160 drivers/acpi/processor_idle.c:110
Code: 83 e6 08 31 ff e8 24 39 89 f8 48 83 e3 08 75 73 4c 8d 64 24 20 e8 a4 1b 8f f8 eb 0c e8 4d 34 89 f8 0f 00 2d 16 3b c6 00 fb f4 <4c> 89 e3 48 c1 eb 03 42 80 3c 33 00 74 08 4c 89 e7 e8 9e c6 c8 f8
RSP: 0018:ffffffff8b407bc0 EFLAGS: 00000282
RAX: d4f825addbe56c00 RBX: 0000000000000000 RCX: ffffffff8f975703
RDX: ffffffff8b4bbf58 RSI: ffffffff894c55a0 RDI: ffffffff89a4bbe0
RBP: ffffffff8b407c40 R08: ffffffff81787bf0 R09: fffffbfff16976a9
R10: fffffbfff16976a9 R11: 1ffffffff16976a8 R12: ffffffff8b407be0
R13: ffff8880157d0064 R14: dffffc0000000000 R15: 1ffffffff1680f78
acpi_idle_enter+0x371/0x520 drivers/acpi/processor_idle.c:688
cpuidle_enter_state+0x2a8/0xaf0 drivers/cpuidle/cpuidle.c:237
cpuidle_enter+0x59/0x90 drivers/cpuidle/cpuidle.c:351
cpuidle_idle_call kernel/sched/idle.c:239 [inline]
do_idle+0x389/0x590 kernel/sched/idle.c:306
cpu_startup_entry+0x15/0x20 kernel/sched/idle.c:403
start_kernel+0x4b9/0x568 init/main.c:1142
secondary_startup_64_no_verify+0xb1/0xbb
================================================================================
----------------
Code disassembly (best guess):
0: 83 e6 08 and $0x8,%esi
3: 31 ff xor %edi,%edi
5: e8 24 39 89 f8 callq 0xf889392e
a: 48 83 e3 08 and $0x8,%rbx
e: 75 73 jne 0x83
10: 4c 8d 64 24 20 lea 0x20(%rsp),%r12
15: e8 a4 1b 8f f8 callq 0xf88f1bbe
1a: eb 0c jmp 0x28
1c: e8 4d 34 89 f8 callq 0xf889346e
21: 0f 00 2d 16 3b c6 00 verw 0xc63b16(%rip) # 0xc63b3e
28: fb sti
29: f4 hlt
* 2a: 4c 89 e3 mov %r12,%rbx <-- trapping instruction
2d: 48 c1 eb 03 shr $0x3,%rbx
31: 42 80 3c 33 00 cmpb $0x0,(%rbx,%r14,1)
36: 74 08 je 0x40
38: 4c 89 e7 mov %r12,%rdi
3b: e8 9e c6 c8 f8 callq 0xf8c8c6de
Tested on:
commit: cf52ad5f Merge tag 'driver-core-5.15-rc6' of git://git..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=10f1b16a880000
kernel config: https://syzkaller.appspot.com/x/.config?x=e25c48e302d3bf01
dashboard link: https://syzkaller.appspot.com/bug?extid=ef17b5b364116518fd65
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=14ca1022880000
Hillf Danton
Oct 22, 2022, 8:47:46 PM10/22/22
to syzbot, linux-...@vger.kernel.org, syzkall...@googlegroups.com
On 18 Oct 2021 06:22:25 -0700
> syzbot has found a reproducer for the following issue on:
>
> HEAD commit: cf52ad5ff16c Merge tag 'driver-core-5.15-rc6' of git://git..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=16db5734b00000
> kernel config: https://syzkaller.appspot.com/x/.config?x=9479508d7bb83ad9
> dashboard link: https://syzkaller.appspot.com/bug?extid=ef17b5b364116518fd65
> compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11af3768b00000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16788f94b00000
>
> HEAD commit: cf52ad5ff16c Merge tag 'driver-core-5.15-rc6' of git://git..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=16db5734b00000
> kernel config: https://syzkaller.appspot.com/x/.config?x=9479508d7bb83ad9
> dashboard link: https://syzkaller.appspot.com/bug?extid=ef17b5b364116518fd65
> compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11af3768b00000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16788f94b00000
Load firmware in sync manner to fix uaf.
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 1a2fb220edca
syzbot
Oct 22, 2022, 10:53:18 PM10/22/22
to hda...@sina.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
che: Netfs 'afs' registered for caching
[ 13.500882][ T1] Btrfs loaded, crc32c=crc32c-intel, assert=on, zoned=yes, fsverity=yes
[ 13.510556][ T1] Key type big_key registered
[ 13.519302][ T1] Key type encrypted registered
[ 13.524584][ T1] ima: No TPM chip found, activating TPM-bypass!
[ 13.530967][ T1] Loading compiled-in module X.509 certificates
[ 13.538472][ T1] Loaded X.509 cert 'Build time autogenerated kernel key: f850c787ad998c396ae089c083b940ff0a9abb77'
[ 13.549867][ T1] ima: Allocated hash algorithm: sha256
[ 13.555945][ T1] ima: No architecture policies found
[ 13.561723][ T1] evm: Initialising EVM extended attributes:
[ 13.568162][ T1] evm: security.selinux (disabled)
[ 13.573567][ T1] evm: security.SMACK64
[ 13.578111][ T1] evm: security.SMACK64EXEC
[ 13.582752][ T1] evm: security.SMACK64TRANSMUTE
[ 13.588073][ T1] evm: security.SMACK64MMAP
[ 13.592999][ T1] evm: security.apparmor (disabled)
[ 13.598532][ T1] evm: security.ima
[ 13.602464][ T1] evm: security.capability
[ 13.607225][ T1] evm: HMAC attrs: 0x1
[ 13.699721][ T1] PM: Magic number: 10:646:713
[ 13.705725][ T1] video4linux radio24: hash matches
[ 13.716160][ T1] printk: console [netcon0] enabled
[ 13.721404][ T1] netconsole: network logging started
[ 13.727580][ T1] gtp: GTP module loaded (pdp ctx size 104 bytes)
[ 13.737077][ T1] rdma_rxe: loaded
[ 13.741304][ T1] cfg80211: Loading compiled-in X.509 certificates for regulatory database
[ 13.753006][ T1] cfg80211: Loaded X.509 cert 'sforshee: 00b28ddf47aef9cea7'
[ 13.763068][ T1] ALSA device list:
[ 13.764341][ T7] platform regulatory.0: Direct firmware load for regulatory.db failed with error -2
[ 13.767026][ T1] #0: Dummy 1
[ 13.776574][ T7] platform regulatory.0: Falling back to sysfs fallback for: regulatory.db
[ 13.788911][ T1] #1: Loopback 1
[ 13.792729][ T1] #2: Virtual MIDI Card 1
[ 13.800826][ T1] md: Waiting for all devices to be available before autodetect
[ 13.808606][ T1] md: If you don't use raid, use raid=noautodetect
[ 13.815242][ T1] md: Autodetecting RAID arrays.
[ 13.820269][ T1] md: autorun ...
[ 13.823994][ T1] md: ... autorun DONE.
[ 13.853970][ T1] EXT4-fs (sda1): mounted filesystem with ordered data mode. Opts: (null). Quota mode: none.
[ 13.864437][ T1] VFS: Mounted root (ext4 filesystem) readonly on device 8:1.
[ 13.886509][ T1] devtmpfs: mounted
[ 13.949731][ T1] Freeing unused kernel image (initmem) memory: 3828K
[ 13.956753][ T1] Write protecting the kernel read-only data: 167936k
[ 13.969087][ T1] Freeing unused kernel image (text/rodata gap) memory: 2012K
[ 13.979387][ T1] Freeing unused kernel image (rodata/data gap) memory: 1688K
[ 13.992266][ T1] Failed to set sysctl parameter 'max_rcu_stall_to_panic=1': parameter not found
[ 14.002382][ T1] Run /sbin/init as init process
[ 14.257070][ T2936] mount (2936) used greatest stack depth: 23376 bytes left
[ 14.317912][ T2937] EXT4-fs (sda1): re-mounted. Opts: (null). Quota mode: none.
[ 14.357277][ T2939] mkdir (2939) used greatest stack depth: 23296 bytes left
mount: mounting selinuxfs on /sys/fs/selinux failed: No such file or directory
mount: mounting mqueue on /dev/mqueue failed: No such file or directory
mount: [ 14.406166][ T2940] mount (2940) used greatest stack depth: 21664 bytes left
mounting hugetlbfs on /dev/hugepages failed: No such file or directory
mount: mounting fuse.lxcfs on /var/lib/lxcfs failed: No such file or directory
Starting syslogd: OK
Starting acpid: OK
Starting klogd: OK
Running sysctl: OK
[ 14.952768][ T2965] logger (2965) used greatest stack depth: 21264 bytes left
Populating /dev using udev: [ 15.122458][ T2969] udevd[2969]: starting version 3.2.10
[ 15.431463][ T2970] udevd[2970]: starting eudev-3.2.10
[ 15.433624][ T2969] udevd (2969) used greatest stack depth: 19776 bytes left
[ 18.456577][ T2979] ================================================================================
[ 18.469857][ T2979] UBSAN: null-ptr-deref in ./include/linux/pagemap.h:1088:17
[ 18.538074][ T2979] member access within null pointer of type 'struct folio'
[ 18.575904][ T2979] CPU: 0 PID: 2979 Comm: udevd Not tainted 5.16.0-rc3-syzkaller-01043-g1a2fb220edca-dirty #0
[ 18.586314][ T2979] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/11/2022
[ 18.596595][ T2979] Call Trace:
[ 18.599900][ T2979] <TASK>
[ 18.602840][ T2979] dump_stack_lvl+0x1e3/0x2cb
[ 18.607653][ T2979] ? bfq_pos_tree_add_move+0x451/0x451
[ 18.613136][ T2979] ? panic+0x7e3/0x7e3
[ 18.617406][ T2979] ? mpage_readahead+0x6a0/0x6a0
[ 18.622367][ T2979] ubsan_type_mismatch_common+0x280/0x390
[ 18.628692][ T2979] __ubsan_handle_type_mismatch_v1+0x4a/0x60
[ 18.634794][ T2979] mpage_readahead+0x588/0x6a0
[ 18.639606][ T2979] ? dio_await_one+0x250/0x250
[ 18.644440][ T2979] ? blkdev_fallocate+0x330/0x330
[ 18.649751][ T2979] ? put_page+0x90/0x90
[ 18.654283][ T2979] ? __alloc_pages+0x2fd/0x5f0
[ 18.659256][ T2979] ? blk_start_plug_nr_ios+0xaa/0x210
[ 18.664788][ T2979] read_pages+0x162/0x520
[ 18.669173][ T2979] ? page_cache_ra_unbounded+0x840/0x840
[ 18.674829][ T2979] ? filemap_add_folio+0x1ab/0x220
[ 18.680150][ T2979] ? add_to_page_cache_locked+0x90/0x90
[ 18.685994][ T2979] ? folio_alloc+0x47/0x50
[ 18.690543][ T2979] ? filemap_alloc_folio+0x1a9/0x1c0
[ 18.696205][ T2979] page_cache_ra_unbounded+0x6c1/0x840
[ 18.701964][ T2979] ? read_cache_pages_invalidate_pages+0xa0/0xa0
[ 18.708384][ T2979] ? do_page_cache_ra+0xde/0x100
[ 18.713352][ T2979] force_page_cache_ra+0x288/0x2e0
[ 18.718608][ T2979] filemap_read+0x809/0x23d0
[ 18.723270][ T2979] ? find_get_pages_range_tag+0x570/0x570
[ 18.729098][ T2979] ? memset+0x1f/0x40
[ 18.733162][ T2979] ? generic_file_read_iter+0x9e/0x4a0
[ 18.739180][ T2979] ? memset+0x1f/0x40
[ 18.743347][ T2979] ? init_sync_kiocb+0x303/0x4b0
[ 18.748408][ T2979] vfs_read+0x5cd/0x760
[ 18.753197][ T2979] ? kernel_read+0x1f0/0x1f0
[ 18.757837][ T2979] ? __fget_light+0xcc/0x170
[ 18.762803][ T2979] ksys_read+0x19f/0x2d0
[ 18.767273][ T2979] ? vfs_write+0x720/0x720
[ 18.771729][ T2979] ? syscall_enter_from_user_mode+0x2e/0x1c0
[ 18.777991][ T2979] ? lockdep_hardirqs_on+0x95/0x140
[ 18.783257][ T2979] ? syscall_enter_from_user_mode+0x2e/0x1c0
[ 18.789379][ T2979] do_syscall_64+0x44/0xa0
[ 18.794342][ T2979] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 18.800265][ T2979] RIP: 0033:0x7fef837538fe
[ 18.804785][ T2979] Code: c0 e9 e6 fe ff ff 50 48 8d 3d 0e c7 09 00 e8 c9 cf 01 00 66 0f 1f 84 00 00 00 00 00 64 8b 04 25 18 00 00 00 85 c0 75 14 0f 05 <48> 3d 00 f0 ff ff 77 5a c3 66 0f 1f 84 00 00 00 00 00 48 83 ec 28
[ 18.824787][ T2979] RSP: 002b:00007ffea8972ab8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[ 18.834099][ T2979] RAX: ffffffffffffffda RBX: 000000007fff0000 RCX: 00007fef837538fe
[ 18.842179][ T2979] RDX: 0000000000000040 RSI: 000055f64a2af6d8 RDI: 0000000000000009
[ 18.850170][ T2979] RBP: 0000000000000040 R08: 000055f64a2af6b0 R09: 00007fef83823a60
[ 18.858243][ T2979] R10: 0000000000200000 R11: 0000000000000246 R12: 000055f64a2af6b0
[ 18.866500][ T2979] R13: 000055f64a2af6c8 R14: 000055f64a2b6720 R15: 000055f64a2b66d0
[ 18.874677][ T2979] </TASK>
[ 19.500327][ T2991] ================================================================================
[ 19.661875][ T2991] UBSAN: object-size-mismatch in net/unix/af_unix.c:1094:14
[ 19.717755][ T2991] member access within address ffff88801815e6c8 with insufficient space
[ 19.779625][ T2991] for an object of type 'struct sockaddr_un'
[ 19.844942][ T2991] CPU: 1 PID: 2991 Comm: udevadm Not tainted 5.16.0-rc3-syzkaller-01043-g1a2fb220edca-dirty #0
[ 19.855745][ T2991] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/11/2022
[ 19.866130][ T2991] Call Trace:
[ 19.869498][ T2991] <TASK>
[ 19.872430][ T2991] dump_stack_lvl+0x1e3/0x2cb
[ 19.877100][ T2991] ? bfq_pos_tree_add_move+0x451/0x451
[ 19.882543][ T2991] ? panic+0x7e3/0x7e3
[ 19.886901][ T2991] ubsan_type_mismatch_common+0x1e6/0x390
[ 19.892637][ T2991] __ubsan_handle_type_mismatch_v1+0x4a/0x60
[ 19.898625][ T2991] unix_autobind+0x13e/0x4d0
[ 19.903239][ T2991] unix_stream_connect+0x622/0xbf0
[ 19.908342][ T2991] ? bpf_lsm_socket_connect+0x5/0x10
[ 19.914131][ T2991] ? security_socket_connect+0x9d/0xb0
[ 19.919703][ T2991] __x64_sys_connect+0x15b/0x1e0
[ 19.924797][ T2991] ? __sys_connect+0x170/0x170
[ 19.929592][ T2991] ? syscall_enter_from_user_mode+0x2e/0x1c0
[ 19.935598][ T2991] ? lockdep_hardirqs_on+0x95/0x140
[ 19.941067][ T2991] ? syscall_enter_from_user_mode+0x2e/0x1c0
[ 19.947035][ T2991] do_syscall_64+0x44/0xa0
[ 19.951623][ T2991] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 19.957618][ T2991] RIP: 0033:0x7f474d116d23
[ 19.962241][ T2991] Code: 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 64 8b 04 25 18 00 00 00 85 c0 75 14 b8 2a 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 55 c3 0f 1f 40 00 48 83 ec 18 89 54 24 0c 48
[ 19.982635][ T2991] RSP: 002b:00007fffd159a368 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
[ 19.991348][ T2991] RAX: ffffffffffffffda RBX: 0000559aa0cda930 RCX: 00007f474d116d23
[ 19.999354][ T2991] RDX: 0000000000000013 RSI: 0000559aa0cda948 RDI: 0000000000000003
[ 20.007628][ T2991] RBP: 000000000000001e R08: 000000000000001e R09: 0030312e322e332d
[ 20.015622][ T2991] R10: 00007fffd159a4b4 R11: 0000000000000246 R12: 00007fffd159a380
[ 20.023593][ T2991] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000007
[ 20.031578][ T2991] </TASK>
[ 20.613100][ T2979] ================================================================================
[ 20.681439][ T2979] Kernel panic - not syncing: panic_on_warn set ...
[ 20.688430][ T2979] CPU: 0 PID: 2979 Comm: udevd Not tainted 5.16.0-rc3-syzkaller-01043-g1a2fb220edca-dirty #0
[ 20.698597][ T2979] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/11/2022
[ 20.708677][ T2979] Call Trace:
[ 20.711976][ T2979] <TASK>
[ 20.714926][ T2979] dump_stack_lvl+0x1e3/0x2cb
[ 20.719636][ T2979] ? bfq_pos_tree_add_move+0x451/0x451
[ 20.725127][ T2979] ? panic+0x7e3/0x7e3
[ 20.729236][ T2979] panic+0x2f1/0x7e3
[ 20.733377][ T2979] ? ubsan_type_mismatch_common+0x2a4/0x390
[ 20.739478][ T2979] ? fb_is_primary_device+0xcc/0xcc
[ 20.744706][ T2979] ? panic+0x7e3/0x7e3
[ 20.748985][ T2979] ? mpage_readahead+0x6a0/0x6a0
[ 20.754056][ T2979] ubsan_type_mismatch_common+0x38c/0x390
[ 20.760262][ T2979] __ubsan_handle_type_mismatch_v1+0x4a/0x60
[ 20.766546][ T2979] mpage_readahead+0x588/0x6a0
[ 20.771338][ T2979] ? dio_await_one+0x250/0x250
[ 20.776581][ T2979] ? blkdev_fallocate+0x330/0x330
[ 20.781833][ T2979] ? put_page+0x90/0x90
[ 20.786019][ T2979] ? __alloc_pages+0x2fd/0x5f0
[ 20.790815][ T2979] ? blk_start_plug_nr_ios+0xaa/0x210
[ 20.796385][ T2979] read_pages+0x162/0x520
[ 20.800836][ T2979] ? page_cache_ra_unbounded+0x840/0x840
[ 20.806593][ T2979] ? filemap_add_folio+0x1ab/0x220
[ 20.811913][ T2979] ? add_to_page_cache_locked+0x90/0x90
[ 20.817565][ T2979] ? folio_alloc+0x47/0x50
[ 20.822089][ T2979] ? filemap_alloc_folio+0x1a9/0x1c0
[ 20.827414][ T2979] page_cache_ra_unbounded+0x6c1/0x840
[ 20.833601][ T2979] ? read_cache_pages_invalidate_pages+0xa0/0xa0
[ 20.840089][ T2979] ? do_page_cache_ra+0xde/0x100
[ 20.845127][ T2979] force_page_cache_ra+0x288/0x2e0
[ 20.850354][ T2979] filemap_read+0x809/0x23d0
[ 20.855676][ T2979] ? find_get_pages_range_tag+0x570/0x570
[ 20.861591][ T2979] ? memset+0x1f/0x40
[ 20.865601][ T2979] ? generic_file_read_iter+0x9e/0x4a0
[ 20.871203][ T2979] ? memset+0x1f/0x40
[ 20.875298][ T2979] ? init_sync_kiocb+0x303/0x4b0
[ 20.880251][ T2979] vfs_read+0x5cd/0x760
[ 20.884603][ T2979] ? kernel_read+0x1f0/0x1f0
[ 20.889200][ T2979] ? __fget_light+0xcc/0x170
[ 20.893838][ T2979] ksys_read+0x19f/0x2d0
[ 20.898157][ T2979] ? vfs_write+0x720/0x720
[ 20.902646][ T2979] ? syscall_enter_from_user_mode+0x2e/0x1c0
[ 20.908616][ T2979] ? lockdep_hardirqs_on+0x95/0x140
[ 20.913812][ T2979] ? syscall_enter_from_user_mode+0x2e/0x1c0
[ 20.919831][ T2979] do_syscall_64+0x44/0xa0
[ 20.924431][ T2979] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 20.930418][ T2979] RIP: 0033:0x7fef837538fe
[ 20.934855][ T2979] Code: c0 e9 e6 fe ff ff 50 48 8d 3d 0e c7 09 00 e8 c9 cf 01 00 66 0f 1f 84 00 00 00 00 00 64 8b 04 25 18 00 00 00 85 c0 75 14 0f 05 <48> 3d 00 f0 ff ff 77 5a c3 66 0f 1f 84 00 00 00 00 00 48 83 ec 28
[ 20.954802][ T2979] RSP: 002b:00007ffea8972ab8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[ 20.963380][ T2979] RAX: ffffffffffffffda RBX: 000000007fff0000 RCX: 00007fef837538fe
[ 20.971639][ T2979] RDX: 0000000000000040 RSI: 000055f64a2af6d8 RDI: 0000000000000009
[ 20.979995][ T2979] RBP: 0000000000000040 R08: 000055f64a2af6b0 R09: 00007fef83823a60
[ 20.988207][ T2979] R10: 0000000000200000 R11: 0000000000000246 R12: 000055f64a2af6b0
[ 20.996338][ T2979] R13: 000055f64a2af6c8 R14: 000055f64a2b6720 R15: 000055f64a2b66d0
[ 21.004453][ T2979] </TASK>
[ 21.007945][ T2979] Kernel Offset: disabled
[ 21.012860][ T2979] Rebooting in 86400 seconds..
syzkaller build log:
go env (err=<nil>)
GO111MODULE="auto"
GOARCH="amd64"
GOBIN=""
GOCACHE="/syzkaller/.cache/go-build"
GOENV="/syzkaller/.config/go/env"
GOEXE=""
GOEXPERIMENT=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GOMODCACHE="/syzkaller/jobs/linux/gopath/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/syzkaller/jobs/linux/gopath"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/local/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/local/go/pkg/tool/linux_amd64"
GOVCS=""
GOVERSION="go1.17"
GCCGO="gccgo"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD="/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/go.mod"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build7159890=/tmp/go-build -gno-record-gcc-switches"
git status (err=<nil>)
HEAD detached at 8bcc32a67
nothing to commit, working tree clean
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=8bcc32a67bc7180173447e1a78c03dae096b4231 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20220415-122244'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-fuzzer github.com/google/syzkaller/syz-fuzzer
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=8bcc32a67bc7180173447e1a78c03dae096b4231 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20220415-122244'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=8bcc32a67bc7180173447e1a78c03dae096b4231 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20220415-122244'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-stress github.com/google/syzkaller/tools/syz-stress
mkdir -p ./bin/linux_amd64
gcc -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -static-pie -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"8bcc32a67bc7180173447e1a78c03dae096b4231\"
Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=13defd8a880000
Tested on:
commit: 1a2fb220 skbuff: Extract list pointers to silence comp..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel config: https://syzkaller.appspot.com/x/.config?x=7f37c0162d15e714
dashboard link: https://syzkaller.appspot.com/bug?extid=ef17b5b364116518fd65
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=146ed6ba880000
syzbot tried to test the proposed patch but the build/boot failed:
che: Netfs 'afs' registered for caching
[ 13.500882][ T1] Btrfs loaded, crc32c=crc32c-intel, assert=on, zoned=yes, fsverity=yes
[ 13.510556][ T1] Key type big_key registered
[ 13.519302][ T1] Key type encrypted registered
[ 13.524584][ T1] ima: No TPM chip found, activating TPM-bypass!
[ 13.530967][ T1] Loading compiled-in module X.509 certificates
[ 13.538472][ T1] Loaded X.509 cert 'Build time autogenerated kernel key: f850c787ad998c396ae089c083b940ff0a9abb77'
[ 13.549867][ T1] ima: Allocated hash algorithm: sha256
[ 13.555945][ T1] ima: No architecture policies found
[ 13.561723][ T1] evm: Initialising EVM extended attributes:
[ 13.568162][ T1] evm: security.selinux (disabled)
[ 13.573567][ T1] evm: security.SMACK64
[ 13.578111][ T1] evm: security.SMACK64EXEC
[ 13.582752][ T1] evm: security.SMACK64TRANSMUTE
[ 13.588073][ T1] evm: security.SMACK64MMAP
[ 13.592999][ T1] evm: security.apparmor (disabled)
[ 13.598532][ T1] evm: security.ima
[ 13.602464][ T1] evm: security.capability
[ 13.607225][ T1] evm: HMAC attrs: 0x1
[ 13.699721][ T1] PM: Magic number: 10:646:713
[ 13.705725][ T1] video4linux radio24: hash matches
[ 13.716160][ T1] printk: console [netcon0] enabled
[ 13.721404][ T1] netconsole: network logging started
[ 13.727580][ T1] gtp: GTP module loaded (pdp ctx size 104 bytes)
[ 13.737077][ T1] rdma_rxe: loaded
[ 13.741304][ T1] cfg80211: Loading compiled-in X.509 certificates for regulatory database
[ 13.753006][ T1] cfg80211: Loaded X.509 cert 'sforshee: 00b28ddf47aef9cea7'
[ 13.763068][ T1] ALSA device list:
[ 13.764341][ T7] platform regulatory.0: Direct firmware load for regulatory.db failed with error -2
[ 13.767026][ T1] #0: Dummy 1
[ 13.776574][ T7] platform regulatory.0: Falling back to sysfs fallback for: regulatory.db
[ 13.788911][ T1] #1: Loopback 1
[ 13.792729][ T1] #2: Virtual MIDI Card 1
[ 13.800826][ T1] md: Waiting for all devices to be available before autodetect
[ 13.808606][ T1] md: If you don't use raid, use raid=noautodetect
[ 13.815242][ T1] md: Autodetecting RAID arrays.
[ 13.820269][ T1] md: autorun ...
[ 13.823994][ T1] md: ... autorun DONE.
[ 13.853970][ T1] EXT4-fs (sda1): mounted filesystem with ordered data mode. Opts: (null). Quota mode: none.
[ 13.864437][ T1] VFS: Mounted root (ext4 filesystem) readonly on device 8:1.
[ 13.886509][ T1] devtmpfs: mounted
[ 13.949731][ T1] Freeing unused kernel image (initmem) memory: 3828K
[ 13.956753][ T1] Write protecting the kernel read-only data: 167936k
[ 13.969087][ T1] Freeing unused kernel image (text/rodata gap) memory: 2012K
[ 13.979387][ T1] Freeing unused kernel image (rodata/data gap) memory: 1688K
[ 13.992266][ T1] Failed to set sysctl parameter 'max_rcu_stall_to_panic=1': parameter not found
[ 14.002382][ T1] Run /sbin/init as init process
[ 14.257070][ T2936] mount (2936) used greatest stack depth: 23376 bytes left
[ 14.317912][ T2937] EXT4-fs (sda1): re-mounted. Opts: (null). Quota mode: none.
[ 14.357277][ T2939] mkdir (2939) used greatest stack depth: 23296 bytes left
mount: mounting selinuxfs on /sys/fs/selinux failed: No such file or directory
mount: mounting mqueue on /dev/mqueue failed: No such file or directory
mount: [ 14.406166][ T2940] mount (2940) used greatest stack depth: 21664 bytes left
mounting hugetlbfs on /dev/hugepages failed: No such file or directory
mount: mounting fuse.lxcfs on /var/lib/lxcfs failed: No such file or directory
Starting syslogd: OK
Starting acpid: OK
Starting klogd: OK
Running sysctl: OK
[ 14.952768][ T2965] logger (2965) used greatest stack depth: 21264 bytes left
Populating /dev using udev: [ 15.122458][ T2969] udevd[2969]: starting version 3.2.10
[ 15.431463][ T2970] udevd[2970]: starting eudev-3.2.10
[ 15.433624][ T2969] udevd (2969) used greatest stack depth: 19776 bytes left
[ 18.456577][ T2979] ================================================================================
[ 18.469857][ T2979] UBSAN: null-ptr-deref in ./include/linux/pagemap.h:1088:17
[ 18.538074][ T2979] member access within null pointer of type 'struct folio'
[ 18.575904][ T2979] CPU: 0 PID: 2979 Comm: udevd Not tainted 5.16.0-rc3-syzkaller-01043-g1a2fb220edca-dirty #0
[ 18.586314][ T2979] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/11/2022
[ 18.596595][ T2979] Call Trace:
[ 18.599900][ T2979] <TASK>
[ 18.602840][ T2979] dump_stack_lvl+0x1e3/0x2cb
[ 18.607653][ T2979] ? bfq_pos_tree_add_move+0x451/0x451
[ 18.613136][ T2979] ? panic+0x7e3/0x7e3
[ 18.617406][ T2979] ? mpage_readahead+0x6a0/0x6a0
[ 18.622367][ T2979] ubsan_type_mismatch_common+0x280/0x390
[ 18.628692][ T2979] __ubsan_handle_type_mismatch_v1+0x4a/0x60
[ 18.634794][ T2979] mpage_readahead+0x588/0x6a0
[ 18.639606][ T2979] ? dio_await_one+0x250/0x250
[ 18.644440][ T2979] ? blkdev_fallocate+0x330/0x330
[ 18.649751][ T2979] ? put_page+0x90/0x90
[ 18.654283][ T2979] ? __alloc_pages+0x2fd/0x5f0
[ 18.659256][ T2979] ? blk_start_plug_nr_ios+0xaa/0x210
[ 18.664788][ T2979] read_pages+0x162/0x520
[ 18.669173][ T2979] ? page_cache_ra_unbounded+0x840/0x840
[ 18.674829][ T2979] ? filemap_add_folio+0x1ab/0x220
[ 18.680150][ T2979] ? add_to_page_cache_locked+0x90/0x90
[ 18.685994][ T2979] ? folio_alloc+0x47/0x50
[ 18.690543][ T2979] ? filemap_alloc_folio+0x1a9/0x1c0
[ 18.696205][ T2979] page_cache_ra_unbounded+0x6c1/0x840
[ 18.701964][ T2979] ? read_cache_pages_invalidate_pages+0xa0/0xa0
[ 18.708384][ T2979] ? do_page_cache_ra+0xde/0x100
[ 18.713352][ T2979] force_page_cache_ra+0x288/0x2e0
[ 18.718608][ T2979] filemap_read+0x809/0x23d0
[ 18.723270][ T2979] ? find_get_pages_range_tag+0x570/0x570
[ 18.729098][ T2979] ? memset+0x1f/0x40
[ 18.733162][ T2979] ? generic_file_read_iter+0x9e/0x4a0
[ 18.739180][ T2979] ? memset+0x1f/0x40
[ 18.743347][ T2979] ? init_sync_kiocb+0x303/0x4b0
[ 18.748408][ T2979] vfs_read+0x5cd/0x760
[ 18.753197][ T2979] ? kernel_read+0x1f0/0x1f0
[ 18.757837][ T2979] ? __fget_light+0xcc/0x170
[ 18.762803][ T2979] ksys_read+0x19f/0x2d0
[ 18.767273][ T2979] ? vfs_write+0x720/0x720
[ 18.771729][ T2979] ? syscall_enter_from_user_mode+0x2e/0x1c0
[ 18.777991][ T2979] ? lockdep_hardirqs_on+0x95/0x140
[ 18.783257][ T2979] ? syscall_enter_from_user_mode+0x2e/0x1c0
[ 18.789379][ T2979] do_syscall_64+0x44/0xa0
[ 18.794342][ T2979] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 18.800265][ T2979] RIP: 0033:0x7fef837538fe
[ 18.804785][ T2979] Code: c0 e9 e6 fe ff ff 50 48 8d 3d 0e c7 09 00 e8 c9 cf 01 00 66 0f 1f 84 00 00 00 00 00 64 8b 04 25 18 00 00 00 85 c0 75 14 0f 05 <48> 3d 00 f0 ff ff 77 5a c3 66 0f 1f 84 00 00 00 00 00 48 83 ec 28
[ 18.824787][ T2979] RSP: 002b:00007ffea8972ab8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[ 18.834099][ T2979] RAX: ffffffffffffffda RBX: 000000007fff0000 RCX: 00007fef837538fe
[ 18.842179][ T2979] RDX: 0000000000000040 RSI: 000055f64a2af6d8 RDI: 0000000000000009
[ 18.850170][ T2979] RBP: 0000000000000040 R08: 000055f64a2af6b0 R09: 00007fef83823a60
[ 18.858243][ T2979] R10: 0000000000200000 R11: 0000000000000246 R12: 000055f64a2af6b0
[ 18.866500][ T2979] R13: 000055f64a2af6c8 R14: 000055f64a2b6720 R15: 000055f64a2b66d0
[ 18.874677][ T2979] </TASK>
[ 19.500327][ T2991] ================================================================================
[ 19.661875][ T2991] UBSAN: object-size-mismatch in net/unix/af_unix.c:1094:14
[ 19.717755][ T2991] member access within address ffff88801815e6c8 with insufficient space
[ 19.779625][ T2991] for an object of type 'struct sockaddr_un'
[ 19.844942][ T2991] CPU: 1 PID: 2991 Comm: udevadm Not tainted 5.16.0-rc3-syzkaller-01043-g1a2fb220edca-dirty #0
[ 19.855745][ T2991] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/11/2022
[ 19.866130][ T2991] Call Trace:
[ 19.869498][ T2991] <TASK>
[ 19.872430][ T2991] dump_stack_lvl+0x1e3/0x2cb
[ 19.877100][ T2991] ? bfq_pos_tree_add_move+0x451/0x451
[ 19.882543][ T2991] ? panic+0x7e3/0x7e3
[ 19.886901][ T2991] ubsan_type_mismatch_common+0x1e6/0x390
[ 19.892637][ T2991] __ubsan_handle_type_mismatch_v1+0x4a/0x60
[ 19.898625][ T2991] unix_autobind+0x13e/0x4d0
[ 19.903239][ T2991] unix_stream_connect+0x622/0xbf0
[ 19.908342][ T2991] ? bpf_lsm_socket_connect+0x5/0x10
[ 19.914131][ T2991] ? security_socket_connect+0x9d/0xb0
[ 19.919703][ T2991] __x64_sys_connect+0x15b/0x1e0
[ 19.924797][ T2991] ? __sys_connect+0x170/0x170
[ 19.929592][ T2991] ? syscall_enter_from_user_mode+0x2e/0x1c0
[ 19.935598][ T2991] ? lockdep_hardirqs_on+0x95/0x140
[ 19.941067][ T2991] ? syscall_enter_from_user_mode+0x2e/0x1c0
[ 19.947035][ T2991] do_syscall_64+0x44/0xa0
[ 19.951623][ T2991] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 19.957618][ T2991] RIP: 0033:0x7f474d116d23
[ 19.962241][ T2991] Code: 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 64 8b 04 25 18 00 00 00 85 c0 75 14 b8 2a 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 55 c3 0f 1f 40 00 48 83 ec 18 89 54 24 0c 48
[ 19.982635][ T2991] RSP: 002b:00007fffd159a368 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
[ 19.991348][ T2991] RAX: ffffffffffffffda RBX: 0000559aa0cda930 RCX: 00007f474d116d23
[ 19.999354][ T2991] RDX: 0000000000000013 RSI: 0000559aa0cda948 RDI: 0000000000000003
[ 20.007628][ T2991] RBP: 000000000000001e R08: 000000000000001e R09: 0030312e322e332d
[ 20.015622][ T2991] R10: 00007fffd159a4b4 R11: 0000000000000246 R12: 00007fffd159a380
[ 20.023593][ T2991] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000007
[ 20.031578][ T2991] </TASK>
[ 20.613100][ T2979] ================================================================================
[ 20.681439][ T2979] Kernel panic - not syncing: panic_on_warn set ...
[ 20.688430][ T2979] CPU: 0 PID: 2979 Comm: udevd Not tainted 5.16.0-rc3-syzkaller-01043-g1a2fb220edca-dirty #0
[ 20.698597][ T2979] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/11/2022
[ 20.708677][ T2979] Call Trace:
[ 20.711976][ T2979] <TASK>
[ 20.714926][ T2979] dump_stack_lvl+0x1e3/0x2cb
[ 20.719636][ T2979] ? bfq_pos_tree_add_move+0x451/0x451
[ 20.725127][ T2979] ? panic+0x7e3/0x7e3
[ 20.729236][ T2979] panic+0x2f1/0x7e3
[ 20.733377][ T2979] ? ubsan_type_mismatch_common+0x2a4/0x390
[ 20.739478][ T2979] ? fb_is_primary_device+0xcc/0xcc
[ 20.744706][ T2979] ? panic+0x7e3/0x7e3
[ 20.748985][ T2979] ? mpage_readahead+0x6a0/0x6a0
[ 20.754056][ T2979] ubsan_type_mismatch_common+0x38c/0x390
[ 20.760262][ T2979] __ubsan_handle_type_mismatch_v1+0x4a/0x60
[ 20.766546][ T2979] mpage_readahead+0x588/0x6a0
[ 20.771338][ T2979] ? dio_await_one+0x250/0x250
[ 20.776581][ T2979] ? blkdev_fallocate+0x330/0x330
[ 20.781833][ T2979] ? put_page+0x90/0x90
[ 20.786019][ T2979] ? __alloc_pages+0x2fd/0x5f0
[ 20.790815][ T2979] ? blk_start_plug_nr_ios+0xaa/0x210
[ 20.796385][ T2979] read_pages+0x162/0x520
[ 20.800836][ T2979] ? page_cache_ra_unbounded+0x840/0x840
[ 20.806593][ T2979] ? filemap_add_folio+0x1ab/0x220
[ 20.811913][ T2979] ? add_to_page_cache_locked+0x90/0x90
[ 20.817565][ T2979] ? folio_alloc+0x47/0x50
[ 20.822089][ T2979] ? filemap_alloc_folio+0x1a9/0x1c0
[ 20.827414][ T2979] page_cache_ra_unbounded+0x6c1/0x840
[ 20.833601][ T2979] ? read_cache_pages_invalidate_pages+0xa0/0xa0
[ 20.840089][ T2979] ? do_page_cache_ra+0xde/0x100
[ 20.845127][ T2979] force_page_cache_ra+0x288/0x2e0
[ 20.850354][ T2979] filemap_read+0x809/0x23d0
[ 20.855676][ T2979] ? find_get_pages_range_tag+0x570/0x570
[ 20.861591][ T2979] ? memset+0x1f/0x40
[ 20.865601][ T2979] ? generic_file_read_iter+0x9e/0x4a0
[ 20.871203][ T2979] ? memset+0x1f/0x40
[ 20.875298][ T2979] ? init_sync_kiocb+0x303/0x4b0
[ 20.880251][ T2979] vfs_read+0x5cd/0x760
[ 20.884603][ T2979] ? kernel_read+0x1f0/0x1f0
[ 20.889200][ T2979] ? __fget_light+0xcc/0x170
[ 20.893838][ T2979] ksys_read+0x19f/0x2d0
[ 20.898157][ T2979] ? vfs_write+0x720/0x720
[ 20.902646][ T2979] ? syscall_enter_from_user_mode+0x2e/0x1c0
[ 20.908616][ T2979] ? lockdep_hardirqs_on+0x95/0x140
[ 20.913812][ T2979] ? syscall_enter_from_user_mode+0x2e/0x1c0
[ 20.919831][ T2979] do_syscall_64+0x44/0xa0
[ 20.924431][ T2979] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 20.930418][ T2979] RIP: 0033:0x7fef837538fe
[ 20.934855][ T2979] Code: c0 e9 e6 fe ff ff 50 48 8d 3d 0e c7 09 00 e8 c9 cf 01 00 66 0f 1f 84 00 00 00 00 00 64 8b 04 25 18 00 00 00 85 c0 75 14 0f 05 <48> 3d 00 f0 ff ff 77 5a c3 66 0f 1f 84 00 00 00 00 00 48 83 ec 28
[ 20.954802][ T2979] RSP: 002b:00007ffea8972ab8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[ 20.963380][ T2979] RAX: ffffffffffffffda RBX: 000000007fff0000 RCX: 00007fef837538fe
[ 20.971639][ T2979] RDX: 0000000000000040 RSI: 000055f64a2af6d8 RDI: 0000000000000009
[ 20.979995][ T2979] RBP: 0000000000000040 R08: 000055f64a2af6b0 R09: 00007fef83823a60
[ 20.988207][ T2979] R10: 0000000000200000 R11: 0000000000000246 R12: 000055f64a2af6b0
[ 20.996338][ T2979] R13: 000055f64a2af6c8 R14: 000055f64a2b6720 R15: 000055f64a2b66d0
[ 21.004453][ T2979] </TASK>
[ 21.007945][ T2979] Kernel Offset: disabled
[ 21.012860][ T2979] Rebooting in 86400 seconds..
syzkaller build log:
go env (err=<nil>)
GO111MODULE="auto"
GOARCH="amd64"
GOBIN=""
GOCACHE="/syzkaller/.cache/go-build"
GOENV="/syzkaller/.config/go/env"
GOEXE=""
GOEXPERIMENT=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GOMODCACHE="/syzkaller/jobs/linux/gopath/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/syzkaller/jobs/linux/gopath"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/local/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/local/go/pkg/tool/linux_amd64"
GOVCS=""
GOVERSION="go1.17"
GCCGO="gccgo"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD="/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/go.mod"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build7159890=/tmp/go-build -gno-record-gcc-switches"
git status (err=<nil>)
HEAD detached at 8bcc32a67
nothing to commit, working tree clean
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=8bcc32a67bc7180173447e1a78c03dae096b4231 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20220415-122244'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-fuzzer github.com/google/syzkaller/syz-fuzzer
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=8bcc32a67bc7180173447e1a78c03dae096b4231 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20220415-122244'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=8bcc32a67bc7180173447e1a78c03dae096b4231 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20220415-122244'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-stress github.com/google/syzkaller/tools/syz-stress
mkdir -p ./bin/linux_amd64
gcc -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -static-pie -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"8bcc32a67bc7180173447e1a78c03dae096b4231\"
Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=13defd8a880000
Tested on:
commit: 1a2fb220 skbuff: Extract list pointers to silence comp..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel config: https://syzkaller.appspot.com/x/.config?x=7f37c0162d15e714
dashboard link: https://syzkaller.appspot.com/bug?extid=ef17b5b364116518fd65
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=146ed6ba880000
Hillf Danton
Oct 23, 2022, 12:01:57 AM10/23/22
to syzbot, linux-...@vger.kernel.org, syzkall...@googlegroups.com
On 18 Oct 2021 06:22:25 -0700
> syzbot has found a reproducer for the following issue on:
>
> HEAD commit: cf52ad5ff16c Merge tag 'driver-core-5.15-rc6' of git://git..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=16db5734b00000
> kernel config: https://syzkaller.appspot.com/x/.config?x=9479508d7bb83ad9
> dashboard link: https://syzkaller.appspot.com/bug?extid=ef17b5b364116518fd65
> compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11af3768b00000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16788f94b00000
>
> HEAD commit: cf52ad5ff16c Merge tag 'driver-core-5.15-rc6' of git://git..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=16db5734b00000
> kernel config: https://syzkaller.appspot.com/x/.config?x=9479508d7bb83ad9
> dashboard link: https://syzkaller.appspot.com/bug?extid=ef17b5b364116518fd65
> compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11af3768b00000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16788f94b00000
Load firmware in sync manner to fix uaf.
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git aae703b02f92
--- a/include/linux/netdevice.h
+++ b/include/linux/netdevice.h
@@ -3663,8 +3663,9 @@ static inline bool netif_attr_test_online(unsigned long j,
static inline unsigned int netif_attrmask_next(int n, const unsigned long *srcp,
unsigned int nr_bits)
{
- /* n is a prior cpu */
- cpu_max_bits_warn(n + 1, nr_bits);
+ /* -1 is a legal arg here. */
+ if (n != -1)
+ cpu_max_bits_warn(n, nr_bits);
if (srcp)
return find_next_bit(srcp, nr_bits, n + 1);
@@ -3685,8 +3686,9 @@ static inline int netif_attrmask_next_and(int n, const unsigned long *src1p,
const unsigned long *src2p,
unsigned int nr_bits)
{
- /* n is a prior cpu */
- cpu_max_bits_warn(n + 1, nr_bits);
+ /* -1 is a legal arg here. */
+ if (n != -1)
+ cpu_max_bits_warn(n, nr_bits);
if (src1p && src2p)
return find_next_and_bit(src1p, src2p, nr_bits, n + 1);
syzbot
Oct 23, 2022, 12:33:17 AM10/23/22
to hda...@sina.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+ef17b5...@syzkaller.appspotmail.com
Tested on:
commit: aae703b0 Merge tag 'for-6.1-rc1-tag' of git://git.kern..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=12f6abd2880000
kernel config: https://syzkaller.appspot.com/x/.config?x=4aa6e5678f6a04d5
dashboard link: https://syzkaller.appspot.com/bug?extid=ef17b5b364116518fd65
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=17dbacba880000
Note: testing is done by a robot and is best-effort only.
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+ef17b5...@syzkaller.appspotmail.com
Tested on:
commit: aae703b0 Merge tag 'for-6.1-rc1-tag' of git://git.kern..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=12f6abd2880000
kernel config: https://syzkaller.appspot.com/x/.config?x=4aa6e5678f6a04d5
dashboard link: https://syzkaller.appspot.com/bug?extid=ef17b5b364116518fd65
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=17dbacba880000
Note: testing is done by a robot and is best-effort only.
Reply all
Reply to author
Forward
0 new messages