[syzbot] [media?] [usb?] KASAN: slab-use-after-free Read in v4l2_release
10 views
Skip to first unread message
syzbot
Nov 19, 2024, 1:42:29āÆPM11/19/24
to linux-...@vger.kernel.org, linux...@vger.kernel.org, linu...@vger.kernel.org, mch...@kernel.org, syzkall...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: cfaaa7d010d1 Merge tag 'net-6.12-rc8' of git://git.kernel...
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1365b1a7980000
kernel config: https://syzkaller.appspot.com/x/.config?x=327b6119dd928cbc
dashboard link: https://syzkaller.appspot.com/bug?extid=6b52c2b24e341804a58c
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12d7dcc0580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11176b5f980000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/165690e61317/disk-cfaaa7d0.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/f9a0f36bc43c/vmlinux-cfaaa7d0.xz
kernel image: https://storage.googleapis.com/syzbot-assets/6e15e2011b02/bzImage-cfaaa7d0.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+6b52c2...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: slab-use-after-free in v4l2_release+0x3e2/0x460 drivers/media/v4l2-core/v4l2-dev.c:453
Read of size 8 at addr ffff8880502e80c8 by task v4l_id/7854
CPU: 1 UID: 0 PID: 7854 Comm: v4l_id Not tainted 6.12.0-rc7-syzkaller-00125-gcfaaa7d010d1 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/30/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:377 [inline]
print_report+0xc3/0x620 mm/kasan/report.c:488
kasan_report+0xd9/0x110 mm/kasan/report.c:601
v4l2_release+0x3e2/0x460 drivers/media/v4l2-core/v4l2-dev.c:453
__fput+0x3f6/0xb60 fs/file_table.c:431
__fput_sync+0x45/0x50 fs/file_table.c:516
__do_sys_close fs/open.c:1567 [inline]
__se_sys_close fs/open.c:1552 [inline]
__x64_sys_close+0x86/0x100 fs/open.c:1552
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fb945b170a8
Code: 48 8b 05 83 9d 0d 00 64 c7 00 16 00 00 00 83 c8 ff 48 83 c4 20 5b c3 64 8b 04 25 18 00 00 00 85 c0 75 20 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 76 5b 48 8b 15 51 9d 0d 00 f7 d8 64 89 02 48 83
RSP: 002b:00007ffce37bdcf8 EFLAGS: 00000246 ORIG_RAX: 0000000000000003
RAX: ffffffffffffffda RBX: 00007fb945ecdce0 RCX: 00007fb945b170a8
RDX: 0000000000000001 RSI: 000055f495dc60e7 RDI: 0000000000000003
RBP: 0000000000000003 R08: 0000000000000006 R09: 0000000000000000
R10: 000055f495dc60e1 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffce37bdef0 R14: 000055f495dbf670 R15: 00007fb945fb3a80
</TASK>
Allocated by task 6058:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
kasan_save_track+0x14/0x30 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
__kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394
kmalloc_noprof include/linux/slab.h:878 [inline]
kzalloc_noprof include/linux/slab.h:1014 [inline]
hackrf_probe+0xd1/0x1cf0 drivers/media/usb/hackrf/hackrf.c:1353
usb_probe_interface+0x309/0x9d0 drivers/usb/core/driver.c:399
call_driver_probe drivers/base/dd.c:579 [inline]
really_probe+0x23e/0xa90 drivers/base/dd.c:658
__driver_probe_device+0x1de/0x440 drivers/base/dd.c:800
driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:830
__device_attach_driver+0x1df/0x310 drivers/base/dd.c:958
bus_for_each_drv+0x157/0x1e0 drivers/base/bus.c:459
__device_attach+0x1e8/0x4b0 drivers/base/dd.c:1030
bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:534
device_add+0x114b/0x1a70 drivers/base/core.c:3672
usb_set_configuration+0x10cb/0x1c50 drivers/usb/core/message.c:2210
usb_generic_driver_probe+0xb1/0x110 drivers/usb/core/generic.c:254
usb_probe_device+0xec/0x3e0 drivers/usb/core/driver.c:294
call_driver_probe drivers/base/dd.c:579 [inline]
really_probe+0x23e/0xa90 drivers/base/dd.c:658
__driver_probe_device+0x1de/0x440 drivers/base/dd.c:800
driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:830
__device_attach_driver+0x1df/0x310 drivers/base/dd.c:958
bus_for_each_drv+0x157/0x1e0 drivers/base/bus.c:459
__device_attach+0x1e8/0x4b0 drivers/base/dd.c:1030
bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:534
device_add+0x114b/0x1a70 drivers/base/core.c:3672
usb_new_device+0xd90/0x1a10 drivers/usb/core/hub.c:2651
hub_port_connect drivers/usb/core/hub.c:5521 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5661 [inline]
port_event drivers/usb/core/hub.c:5821 [inline]
hub_event+0x2d9a/0x4e10 drivers/usb/core/hub.c:5903
process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229
process_scheduled_works kernel/workqueue.c:3310 [inline]
worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391
kthread+0x2c1/0x3a0 kernel/kthread.c:389
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
Freed by task 6058:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
kasan_save_track+0x14/0x30 mm/kasan/common.c:68
kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:579
poison_slab_object mm/kasan/common.c:247 [inline]
__kasan_slab_free+0x51/0x70 mm/kasan/common.c:264
kasan_slab_free include/linux/kasan.h:230 [inline]
slab_free_hook mm/slub.c:2342 [inline]
slab_free mm/slub.c:4579 [inline]
kfree+0x14f/0x4b0 mm/slub.c:4727
hackrf_probe+0x4c9/0x1cf0 drivers/media/usb/hackrf/hackrf.c:1525
usb_probe_interface+0x309/0x9d0 drivers/usb/core/driver.c:399
call_driver_probe drivers/base/dd.c:579 [inline]
really_probe+0x23e/0xa90 drivers/base/dd.c:658
__driver_probe_device+0x1de/0x440 drivers/base/dd.c:800
driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:830
__device_attach_driver+0x1df/0x310 drivers/base/dd.c:958
bus_for_each_drv+0x157/0x1e0 drivers/base/bus.c:459
__device_attach+0x1e8/0x4b0 drivers/base/dd.c:1030
bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:534
device_add+0x114b/0x1a70 drivers/base/core.c:3672
usb_set_configuration+0x10cb/0x1c50 drivers/usb/core/message.c:2210
usb_generic_driver_probe+0xb1/0x110 drivers/usb/core/generic.c:254
usb_probe_device+0xec/0x3e0 drivers/usb/core/driver.c:294
call_driver_probe drivers/base/dd.c:579 [inline]
really_probe+0x23e/0xa90 drivers/base/dd.c:658
__driver_probe_device+0x1de/0x440 drivers/base/dd.c:800
driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:830
__device_attach_driver+0x1df/0x310 drivers/base/dd.c:958
bus_for_each_drv+0x157/0x1e0 drivers/base/bus.c:459
__device_attach+0x1e8/0x4b0 drivers/base/dd.c:1030
bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:534
device_add+0x114b/0x1a70 drivers/base/core.c:3672
usb_new_device+0xd90/0x1a10 drivers/usb/core/hub.c:2651
hub_port_connect drivers/usb/core/hub.c:5521 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5661 [inline]
port_event drivers/usb/core/hub.c:5821 [inline]
hub_event+0x2d9a/0x4e10 drivers/usb/core/hub.c:5903
process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229
process_scheduled_works kernel/workqueue.c:3310 [inline]
worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391
kthread+0x2c1/0x3a0 kernel/kthread.c:389
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
The buggy address belongs to the object at ffff8880502e8000
which belongs to the cache kmalloc-8k of size 8192
The buggy address is located 200 bytes inside of
freed 8192-byte region [ffff8880502e8000, ffff8880502ea000)
The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x502e8
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff88801b042280 dead000000000100 dead000000000122
raw: 0000000000000000 0000000080020002 00000001f5000000 0000000000000000
head: 00fff00000000040 ffff88801b042280 dead000000000100 dead000000000122
head: 0000000000000000 0000000080020002 00000001f5000000 0000000000000000
head: 00fff00000000003 ffffea000140ba01 ffffffffffffffff 0000000000000000
head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5204, tgid 5204 (S10udev), ts 13144656310, free_ts 10453105280
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1556
prep_new_page mm/page_alloc.c:1564 [inline]
get_page_from_freelist+0xfce/0x2f80 mm/page_alloc.c:3474
__alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4750
alloc_pages_mpol_noprof+0x2c9/0x610 mm/mempolicy.c:2265
alloc_slab_page mm/slub.c:2412 [inline]
allocate_slab mm/slub.c:2578 [inline]
new_slab+0x2c9/0x410 mm/slub.c:2631
___slab_alloc+0xdac/0x1880 mm/slub.c:3818
__slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3908
__slab_alloc_node mm/slub.c:3961 [inline]
slab_alloc_node mm/slub.c:4122 [inline]
__kmalloc_cache_noprof+0x2b4/0x300 mm/slub.c:4290
kmalloc_noprof include/linux/slab.h:878 [inline]
kzalloc_noprof include/linux/slab.h:1014 [inline]
tomoyo_print_bprm security/tomoyo/audit.c:26 [inline]
tomoyo_init_log+0xcb3/0x2170 security/tomoyo/audit.c:264
tomoyo_supervisor+0x30c/0xea0 security/tomoyo/common.c:2089
tomoyo_audit_env_log security/tomoyo/environ.c:36 [inline]
tomoyo_env_perm+0x193/0x210 security/tomoyo/environ.c:63
tomoyo_environ security/tomoyo/domain.c:672 [inline]
tomoyo_find_next_domain+0xe8e/0x2070 security/tomoyo/domain.c:881
tomoyo_bprm_check_security security/tomoyo/tomoyo.c:102 [inline]
tomoyo_bprm_check_security+0x12b/0x1d0 security/tomoyo/tomoyo.c:92
security_bprm_check+0x1b9/0x1e0 security/security.c:1297
search_binary_handler fs/exec.c:1740 [inline]
exec_binprm fs/exec.c:1794 [inline]
bprm_execve fs/exec.c:1845 [inline]
bprm_execve+0x642/0x1960 fs/exec.c:1821
do_execveat_common.isra.0+0x4f1/0x630 fs/exec.c:1952
page last free pid 1 tgid 1 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1127 [inline]
free_unref_page+0x661/0x1080 mm/page_alloc.c:2657
free_contig_range+0x133/0x3f0 mm/page_alloc.c:6765
destroy_args+0xa87/0xe60 mm/debug_vm_pgtable.c:1017
debug_vm_pgtable+0x168e/0x31a0 mm/debug_vm_pgtable.c:1397
do_one_initcall+0x128/0x700 init/main.c:1269
do_initcall_level init/main.c:1331 [inline]
do_initcalls init/main.c:1347 [inline]
do_basic_setup init/main.c:1366 [inline]
kernel_init_freeable+0x5c7/0x900 init/main.c:1580
kernel_init+0x1c/0x2b0 init/main.c:1469
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
Memory state around the buggy address:
ffff8880502e7f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8880502e8000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8880502e8080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8880502e8100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880502e8180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: cfaaa7d010d1 Merge tag 'net-6.12-rc8' of git://git.kernel...
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1365b1a7980000
kernel config: https://syzkaller.appspot.com/x/.config?x=327b6119dd928cbc
dashboard link: https://syzkaller.appspot.com/bug?extid=6b52c2b24e341804a58c
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12d7dcc0580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11176b5f980000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/165690e61317/disk-cfaaa7d0.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/f9a0f36bc43c/vmlinux-cfaaa7d0.xz
kernel image: https://storage.googleapis.com/syzbot-assets/6e15e2011b02/bzImage-cfaaa7d0.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+6b52c2...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: slab-use-after-free in v4l2_release+0x3e2/0x460 drivers/media/v4l2-core/v4l2-dev.c:453
Read of size 8 at addr ffff8880502e80c8 by task v4l_id/7854
CPU: 1 UID: 0 PID: 7854 Comm: v4l_id Not tainted 6.12.0-rc7-syzkaller-00125-gcfaaa7d010d1 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/30/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:377 [inline]
print_report+0xc3/0x620 mm/kasan/report.c:488
kasan_report+0xd9/0x110 mm/kasan/report.c:601
v4l2_release+0x3e2/0x460 drivers/media/v4l2-core/v4l2-dev.c:453
__fput+0x3f6/0xb60 fs/file_table.c:431
__fput_sync+0x45/0x50 fs/file_table.c:516
__do_sys_close fs/open.c:1567 [inline]
__se_sys_close fs/open.c:1552 [inline]
__x64_sys_close+0x86/0x100 fs/open.c:1552
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fb945b170a8
Code: 48 8b 05 83 9d 0d 00 64 c7 00 16 00 00 00 83 c8 ff 48 83 c4 20 5b c3 64 8b 04 25 18 00 00 00 85 c0 75 20 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 76 5b 48 8b 15 51 9d 0d 00 f7 d8 64 89 02 48 83
RSP: 002b:00007ffce37bdcf8 EFLAGS: 00000246 ORIG_RAX: 0000000000000003
RAX: ffffffffffffffda RBX: 00007fb945ecdce0 RCX: 00007fb945b170a8
RDX: 0000000000000001 RSI: 000055f495dc60e7 RDI: 0000000000000003
RBP: 0000000000000003 R08: 0000000000000006 R09: 0000000000000000
R10: 000055f495dc60e1 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffce37bdef0 R14: 000055f495dbf670 R15: 00007fb945fb3a80
</TASK>
Allocated by task 6058:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
kasan_save_track+0x14/0x30 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
__kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394
kmalloc_noprof include/linux/slab.h:878 [inline]
kzalloc_noprof include/linux/slab.h:1014 [inline]
hackrf_probe+0xd1/0x1cf0 drivers/media/usb/hackrf/hackrf.c:1353
usb_probe_interface+0x309/0x9d0 drivers/usb/core/driver.c:399
call_driver_probe drivers/base/dd.c:579 [inline]
really_probe+0x23e/0xa90 drivers/base/dd.c:658
__driver_probe_device+0x1de/0x440 drivers/base/dd.c:800
driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:830
__device_attach_driver+0x1df/0x310 drivers/base/dd.c:958
bus_for_each_drv+0x157/0x1e0 drivers/base/bus.c:459
__device_attach+0x1e8/0x4b0 drivers/base/dd.c:1030
bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:534
device_add+0x114b/0x1a70 drivers/base/core.c:3672
usb_set_configuration+0x10cb/0x1c50 drivers/usb/core/message.c:2210
usb_generic_driver_probe+0xb1/0x110 drivers/usb/core/generic.c:254
usb_probe_device+0xec/0x3e0 drivers/usb/core/driver.c:294
call_driver_probe drivers/base/dd.c:579 [inline]
really_probe+0x23e/0xa90 drivers/base/dd.c:658
__driver_probe_device+0x1de/0x440 drivers/base/dd.c:800
driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:830
__device_attach_driver+0x1df/0x310 drivers/base/dd.c:958
bus_for_each_drv+0x157/0x1e0 drivers/base/bus.c:459
__device_attach+0x1e8/0x4b0 drivers/base/dd.c:1030
bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:534
device_add+0x114b/0x1a70 drivers/base/core.c:3672
usb_new_device+0xd90/0x1a10 drivers/usb/core/hub.c:2651
hub_port_connect drivers/usb/core/hub.c:5521 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5661 [inline]
port_event drivers/usb/core/hub.c:5821 [inline]
hub_event+0x2d9a/0x4e10 drivers/usb/core/hub.c:5903
process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229
process_scheduled_works kernel/workqueue.c:3310 [inline]
worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391
kthread+0x2c1/0x3a0 kernel/kthread.c:389
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
Freed by task 6058:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
kasan_save_track+0x14/0x30 mm/kasan/common.c:68
kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:579
poison_slab_object mm/kasan/common.c:247 [inline]
__kasan_slab_free+0x51/0x70 mm/kasan/common.c:264
kasan_slab_free include/linux/kasan.h:230 [inline]
slab_free_hook mm/slub.c:2342 [inline]
slab_free mm/slub.c:4579 [inline]
kfree+0x14f/0x4b0 mm/slub.c:4727
hackrf_probe+0x4c9/0x1cf0 drivers/media/usb/hackrf/hackrf.c:1525
usb_probe_interface+0x309/0x9d0 drivers/usb/core/driver.c:399
call_driver_probe drivers/base/dd.c:579 [inline]
really_probe+0x23e/0xa90 drivers/base/dd.c:658
__driver_probe_device+0x1de/0x440 drivers/base/dd.c:800
driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:830
__device_attach_driver+0x1df/0x310 drivers/base/dd.c:958
bus_for_each_drv+0x157/0x1e0 drivers/base/bus.c:459
__device_attach+0x1e8/0x4b0 drivers/base/dd.c:1030
bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:534
device_add+0x114b/0x1a70 drivers/base/core.c:3672
usb_set_configuration+0x10cb/0x1c50 drivers/usb/core/message.c:2210
usb_generic_driver_probe+0xb1/0x110 drivers/usb/core/generic.c:254
usb_probe_device+0xec/0x3e0 drivers/usb/core/driver.c:294
call_driver_probe drivers/base/dd.c:579 [inline]
really_probe+0x23e/0xa90 drivers/base/dd.c:658
__driver_probe_device+0x1de/0x440 drivers/base/dd.c:800
driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:830
__device_attach_driver+0x1df/0x310 drivers/base/dd.c:958
bus_for_each_drv+0x157/0x1e0 drivers/base/bus.c:459
__device_attach+0x1e8/0x4b0 drivers/base/dd.c:1030
bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:534
device_add+0x114b/0x1a70 drivers/base/core.c:3672
usb_new_device+0xd90/0x1a10 drivers/usb/core/hub.c:2651
hub_port_connect drivers/usb/core/hub.c:5521 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5661 [inline]
port_event drivers/usb/core/hub.c:5821 [inline]
hub_event+0x2d9a/0x4e10 drivers/usb/core/hub.c:5903
process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229
process_scheduled_works kernel/workqueue.c:3310 [inline]
worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391
kthread+0x2c1/0x3a0 kernel/kthread.c:389
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
The buggy address belongs to the object at ffff8880502e8000
which belongs to the cache kmalloc-8k of size 8192
The buggy address is located 200 bytes inside of
freed 8192-byte region [ffff8880502e8000, ffff8880502ea000)
The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x502e8
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff88801b042280 dead000000000100 dead000000000122
raw: 0000000000000000 0000000080020002 00000001f5000000 0000000000000000
head: 00fff00000000040 ffff88801b042280 dead000000000100 dead000000000122
head: 0000000000000000 0000000080020002 00000001f5000000 0000000000000000
head: 00fff00000000003 ffffea000140ba01 ffffffffffffffff 0000000000000000
head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5204, tgid 5204 (S10udev), ts 13144656310, free_ts 10453105280
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1556
prep_new_page mm/page_alloc.c:1564 [inline]
get_page_from_freelist+0xfce/0x2f80 mm/page_alloc.c:3474
__alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4750
alloc_pages_mpol_noprof+0x2c9/0x610 mm/mempolicy.c:2265
alloc_slab_page mm/slub.c:2412 [inline]
allocate_slab mm/slub.c:2578 [inline]
new_slab+0x2c9/0x410 mm/slub.c:2631
___slab_alloc+0xdac/0x1880 mm/slub.c:3818
__slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3908
__slab_alloc_node mm/slub.c:3961 [inline]
slab_alloc_node mm/slub.c:4122 [inline]
__kmalloc_cache_noprof+0x2b4/0x300 mm/slub.c:4290
kmalloc_noprof include/linux/slab.h:878 [inline]
kzalloc_noprof include/linux/slab.h:1014 [inline]
tomoyo_print_bprm security/tomoyo/audit.c:26 [inline]
tomoyo_init_log+0xcb3/0x2170 security/tomoyo/audit.c:264
tomoyo_supervisor+0x30c/0xea0 security/tomoyo/common.c:2089
tomoyo_audit_env_log security/tomoyo/environ.c:36 [inline]
tomoyo_env_perm+0x193/0x210 security/tomoyo/environ.c:63
tomoyo_environ security/tomoyo/domain.c:672 [inline]
tomoyo_find_next_domain+0xe8e/0x2070 security/tomoyo/domain.c:881
tomoyo_bprm_check_security security/tomoyo/tomoyo.c:102 [inline]
tomoyo_bprm_check_security+0x12b/0x1d0 security/tomoyo/tomoyo.c:92
security_bprm_check+0x1b9/0x1e0 security/security.c:1297
search_binary_handler fs/exec.c:1740 [inline]
exec_binprm fs/exec.c:1794 [inline]
bprm_execve fs/exec.c:1845 [inline]
bprm_execve+0x642/0x1960 fs/exec.c:1821
do_execveat_common.isra.0+0x4f1/0x630 fs/exec.c:1952
page last free pid 1 tgid 1 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1127 [inline]
free_unref_page+0x661/0x1080 mm/page_alloc.c:2657
free_contig_range+0x133/0x3f0 mm/page_alloc.c:6765
destroy_args+0xa87/0xe60 mm/debug_vm_pgtable.c:1017
debug_vm_pgtable+0x168e/0x31a0 mm/debug_vm_pgtable.c:1397
do_one_initcall+0x128/0x700 init/main.c:1269
do_initcall_level init/main.c:1331 [inline]
do_initcalls init/main.c:1347 [inline]
do_basic_setup init/main.c:1366 [inline]
kernel_init_freeable+0x5c7/0x900 init/main.c:1580
kernel_init+0x1c/0x2b0 init/main.c:1469
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
Memory state around the buggy address:
ffff8880502e7f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8880502e8000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8880502e8080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8880502e8100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880502e8180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Nikita Zhandarovich
Jan 26, 2025, 11:12:52āÆAM1/26/25
to syzbot+6b52c2...@syzkaller.appspotmail.com, Nikita Zhandarovich, syzkall...@googlegroups.com, linux-...@vger.kernel.org
Try fixing the order of releasing things in case of a faulty
device registation.
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
---
drivers/media/usb/hackrf/hackrf.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/media/usb/hackrf/hackrf.c b/drivers/media/usb/hackrf/hackrf.c
index 0b50de8775a3..bc910b35f605 100644
--- a/drivers/media/usb/hackrf/hackrf.c
+++ b/drivers/media/usb/hackrf/hackrf.c
@@ -1513,12 +1513,12 @@ static int hackrf_probe(struct usb_interface *intf,
return 0;
err_video_unregister_device_rx:
video_unregister_device(&dev->rx_vdev);
-err_v4l2_device_unregister:
- v4l2_device_unregister(&dev->v4l2_dev);
err_v4l2_ctrl_handler_free_tx:
v4l2_ctrl_handler_free(&dev->tx_ctrl_handler);
err_v4l2_ctrl_handler_free_rx:
v4l2_ctrl_handler_free(&dev->rx_ctrl_handler);
+err_v4l2_device_unregister:
+ v4l2_device_unregister(&dev->v4l2_dev);
err_kfree:
kfree(dev);
err:
device registation.
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
---
drivers/media/usb/hackrf/hackrf.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/media/usb/hackrf/hackrf.c b/drivers/media/usb/hackrf/hackrf.c
index 0b50de8775a3..bc910b35f605 100644
--- a/drivers/media/usb/hackrf/hackrf.c
+++ b/drivers/media/usb/hackrf/hackrf.c
@@ -1513,12 +1513,12 @@ static int hackrf_probe(struct usb_interface *intf,
return 0;
err_video_unregister_device_rx:
video_unregister_device(&dev->rx_vdev);
-err_v4l2_device_unregister:
- v4l2_device_unregister(&dev->v4l2_dev);
err_v4l2_ctrl_handler_free_tx:
v4l2_ctrl_handler_free(&dev->tx_ctrl_handler);
err_v4l2_ctrl_handler_free_rx:
v4l2_ctrl_handler_free(&dev->rx_ctrl_handler);
+err_v4l2_device_unregister:
+ v4l2_device_unregister(&dev->v4l2_dev);
err_kfree:
kfree(dev);
err:
syzbot
Jan 26, 2025, 11:37:05āÆAM1/26/25
to linux-...@vger.kernel.org, n.zhand...@fintech.ru, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+6b52c2...@syzkaller.appspotmail.com
Tested-by: syzbot+6b52c2...@syzkaller.appspotmail.com
Tested on:
commit: aa22f4da Merge tag 'rproc-v6.14' of git://git.kernel.o..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
console output: https://syzkaller.appspot.com/x/log.txt?x=17053624580000
kernel config: https://syzkaller.appspot.com/x/.config?x=9d8d1812e6d1408
Note: testing is done by a robot and is best-effort only.
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+6b52c2...@syzkaller.appspotmail.com
Tested-by: syzbot+6b52c2...@syzkaller.appspotmail.com
Tested on:
commit: aa22f4da Merge tag 'rproc-v6.14' of git://git.kernel.o..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
console output: https://syzkaller.appspot.com/x/log.txt?x=17053624580000
kernel config: https://syzkaller.appspot.com/x/.config?x=9d8d1812e6d1408
dashboard link: https://syzkaller.appspot.com/bug?extid=6b52c2b24e341804a58c
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=13a93624580000
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
Note: testing is done by a robot and is best-effort only.
Nikita Zhandarovich
Jan 27, 2025, 6:23:18āÆAM1/27/25
to syzbot+6b52c2...@syzkaller.appspotmail.com, Nikita Zhandarovich, syzkall...@googlegroups.com, linux-...@vger.kernel.org
Check if the issue is still active.
syzbot
Jan 27, 2025, 12:24:05āÆPM1/27/25
to linux-...@vger.kernel.org, n.zhand...@fintech.ru, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
INFO: task hung in reg_process_self_managed_hints
INFO: task kworker/0:1:9 blocked for more than 143 seconds.
Not tainted 6.13.0-syzkaller-08265-g9c5968db9e62 #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:kworker/0:1 state:D stack:26592 pid:9 tgid:9 ppid:2 task_flags:0x4208060 flags:0x00004000
Workqueue: events reg_todo
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5377 [inline]
__schedule+0xf43/0x5890 kernel/sched/core.c:6764
__schedule_loop kernel/sched/core.c:6841 [inline]
schedule+0xe7/0x350 kernel/sched/core.c:6856
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6913
__mutex_lock_common kernel/locking/mutex.c:662 [inline]
__mutex_lock+0x6bd/0xb10 kernel/locking/mutex.c:730
class_wiphy_constructor include/net/cfg80211.h:6061 [inline]
reg_process_self_managed_hints+0x95/0x1f0 net/wireless/reg.c:3206
reg_todo+0x684/0x910 net/wireless/reg.c:3219
process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3236
process_scheduled_works kernel/workqueue.c:3317 [inline]
worker_thread+0x6c8/0xf00 kernel/workqueue.c:3398
kthread+0x3af/0x750 kernel/kthread.c:464
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
INFO: task kworker/u8:2:33 blocked for more than 143 seconds.
Not tainted 6.13.0-syzkaller-08265-g9c5968db9e62 #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:kworker/u8:2 state:D stack:21856 pid:33 tgid:33 ppid:2 task_flags:0x4208160 flags:0x00004000
Workqueue: ipv6_addrconf addrconf_dad_work
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5377 [inline]
__schedule+0xf43/0x5890 kernel/sched/core.c:6764
__schedule_loop kernel/sched/core.c:6841 [inline]
schedule+0xe7/0x350 kernel/sched/core.c:6856
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6913
__mutex_lock_common kernel/locking/mutex.c:662 [inline]
__mutex_lock+0x6bd/0xb10 kernel/locking/mutex.c:730
rtnl_net_lock include/linux/rtnetlink.h:129 [inline]
addrconf_dad_work+0x121/0x14e0 net/ipv6/addrconf.c:4190
process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3236
process_scheduled_works kernel/workqueue.c:3317 [inline]
worker_thread+0x6c8/0xf00 kernel/workqueue.c:3398
kthread+0x3af/0x750 kernel/kthread.c:464
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
INFO: task kworker/u8:6:3422 blocked for more than 143 seconds.
Not tainted 6.13.0-syzkaller-08265-g9c5968db9e62 #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:kworker/u8:6 state:D stack:22568 pid:3422 tgid:3422 ppid:2 task_flags:0x4208060 flags:0x00004000
Workqueue: netns cleanup_net
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5377 [inline]
__schedule+0xf43/0x5890 kernel/sched/core.c:6764
__schedule_loop kernel/sched/core.c:6841 [inline]
schedule+0xe7/0x350 kernel/sched/core.c:6856
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6913
__mutex_lock_common kernel/locking/mutex.c:662 [inline]
__mutex_lock+0x6bd/0xb10 kernel/locking/mutex.c:730
rtnl_acquire_if_cleanup_net net/core/dev.c:10272 [inline]
unregister_netdevice_many_notify+0x1a51/0x21a0 net/core/dev.c:11792
unregister_netdevice_many net/core/dev.c:11875 [inline]
unregister_netdevice_queue+0x307/0x3f0 net/core/dev.c:11741
unregister_netdevice include/linux/netdevice.h:3329 [inline]
_cfg80211_unregister_wdev+0x64b/0x830 net/wireless/core.c:1251
ieee80211_remove_interfaces+0x34f/0x720 net/mac80211/iface.c:2305
ieee80211_unregister_hw+0x55/0x3a0 net/mac80211/main.c:1681
mac80211_hwsim_del_radio drivers/net/wireless/virtual/mac80211_hwsim.c:5664 [inline]
hwsim_exit_net+0x3ad/0x7d0 drivers/net/wireless/virtual/mac80211_hwsim.c:6544
ops_exit_list+0xb0/0x180 net/core/net_namespace.c:172
cleanup_net+0x5c6/0xbf0 net/core/net_namespace.c:652
process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3236
process_scheduled_works kernel/workqueue.c:3317 [inline]
worker_thread+0x6c8/0xf00 kernel/workqueue.c:3398
kthread+0x3af/0x750 kernel/kthread.c:464
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
INFO: task kworker/u8:7:3498 blocked for more than 144 seconds.
Not tainted 6.13.0-syzkaller-08265-g9c5968db9e62 #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:kworker/u8:7 state:D stack:24000 pid:3498 tgid:3498 ppid:2 task_flags:0x4208060 flags:0x00004000
Workqueue: events_unbound linkwatch_event
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5377 [inline]
__schedule+0xf43/0x5890 kernel/sched/core.c:6764
__schedule_loop kernel/sched/core.c:6841 [inline]
schedule+0xe7/0x350 kernel/sched/core.c:6856
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6913
__mutex_lock_common kernel/locking/mutex.c:662 [inline]
__mutex_lock+0x6bd/0xb10 kernel/locking/mutex.c:730
linkwatch_event+0x51/0xc0 net/core/link_watch.c:285
process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3236
process_scheduled_works kernel/workqueue.c:3317 [inline]
worker_thread+0x6c8/0xf00 kernel/workqueue.c:3398
kthread+0x3af/0x750 kernel/kthread.c:464
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
INFO: task kworker/0:4:5901 blocked for more than 144 seconds.
Not tainted 6.13.0-syzkaller-08265-g9c5968db9e62 #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:kworker/0:4 state:D stack:27488 pid:5901 tgid:5901 ppid:2 task_flags:0x4208060 flags:0x00004000
Workqueue: events_power_efficient crda_timeout_work
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5377 [inline]
__schedule+0xf43/0x5890 kernel/sched/core.c:6764
__schedule_loop kernel/sched/core.c:6841 [inline]
schedule+0xe7/0x350 kernel/sched/core.c:6856
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6913
__mutex_lock_common kernel/locking/mutex.c:662 [inline]
__mutex_lock+0x6bd/0xb10 kernel/locking/mutex.c:730
crda_timeout_work+0x15/0x50 net/wireless/reg.c:540
process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3236
process_scheduled_works kernel/workqueue.c:3317 [inline]
worker_thread+0x6c8/0xf00 kernel/workqueue.c:3398
kthread+0x3af/0x750 kernel/kthread.c:464
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
INFO: task syz-executor:6463 blocked for more than 144 seconds.
Not tainted 6.13.0-syzkaller-08265-g9c5968db9e62 #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz-executor state:D stack:24288 pid:6463 tgid:6463 ppid:1 task_flags:0x400140 flags:0x00000004
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5377 [inline]
__schedule+0xf43/0x5890 kernel/sched/core.c:6764
__schedule_loop kernel/sched/core.c:6841 [inline]
schedule+0xe7/0x350 kernel/sched/core.c:6856
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6913
__mutex_lock_common kernel/locking/mutex.c:662 [inline]
__mutex_lock+0x6bd/0xb10 kernel/locking/mutex.c:730
rtnl_lock net/core/rtnetlink.c:79 [inline]
rtnl_nets_lock net/core/rtnetlink.c:335 [inline]
rtnl_newlink+0x5d9/0x1d60 net/core/rtnetlink.c:4020
rtnetlink_rcv_msg+0x95b/0xea0 net/core/rtnetlink.c:6911
netlink_rcv_skb+0x16b/0x440 net/netlink/af_netlink.c:2543
netlink_unicast_kernel net/netlink/af_netlink.c:1322 [inline]
netlink_unicast+0x53c/0x7f0 net/netlink/af_netlink.c:1348
netlink_sendmsg+0x8b8/0xd70 net/netlink/af_netlink.c:1892
sock_sendmsg_nosec net/socket.c:713 [inline]
__sock_sendmsg net/socket.c:728 [inline]
__sys_sendto+0x488/0x4f0 net/socket.c:2182
__do_sys_sendto net/socket.c:2189 [inline]
__se_sys_sendto net/socket.c:2185 [inline]
__x64_sys_sendto+0xe0/0x1c0 net/socket.c:2185
RSP: 002b:00007fff7321e8d8 EFLAGS: 00000202 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 00007f50e4464620 RCX: 00007f50e3780553
RDX: 0000000000000054 RSI: 00007f50e4464670 RDI: 0000000000000003
RBP: 0000000000000001 R08: 00007fff7321e8f4 R09: 000000000000000c
R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000003
R13: 0000000000000000 R14: 00007f50e4464670 R15: 0000000000000000
</TASK>
INFO: task syz-executor:6521 blocked for more than 145 seconds.
Not tainted 6.13.0-syzkaller-08265-g9c5968db9e62 #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz-executor state:D stack:27608 pid:6521 tgid:6521 ppid:6517 task_flags:0x400140 flags:0x00004000
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5377 [inline]
__schedule+0xf43/0x5890 kernel/sched/core.c:6764
__schedule_loop kernel/sched/core.c:6841 [inline]
schedule+0xe7/0x350 kernel/sched/core.c:6856
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6913
__mutex_lock_common kernel/locking/mutex.c:662 [inline]
__mutex_lock+0x6bd/0xb10 kernel/locking/mutex.c:730
register_nexthop_notifier+0x1b/0x70 net/ipv4/nexthop.c:3878
ops_init+0x1df/0x5f0 net/core/net_namespace.c:138
setup_net+0x21f/0x860 net/core/net_namespace.c:362
copy_net_ns+0x2b4/0x6c0 net/core/net_namespace.c:516
create_new_namespaces+0x3ea/0xad0 kernel/nsproxy.c:110
unshare_nsproxy_namespaces+0xc0/0x1f0 kernel/nsproxy.c:228
ksys_unshare+0x45d/0xa40 kernel/fork.c:3331
__do_sys_unshare kernel/fork.c:3402 [inline]
__se_sys_unshare kernel/fork.c:3400 [inline]
__x64_sys_unshare+0x31/0x40 kernel/fork.c:3400
RSP: 002b:00007ffec94d6498 EFLAGS: 00000246 ORIG_RAX: 0000000000000110
RAX: ffffffffffffffda RBX: 00007ff682b35f40 RCX: 00007ff68297ff17
RDX: 00007ff68297e719 RSI: 00007ffec94d6460 RDI: 0000000040000000
RBP: 00007ff682b36528 R08: 00007ff682afb9f0 R09: 00007ff682afb9f0
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000006
R13: 0000000000000006 R14: 0000000000000009 R15: 0000000000000000
</TASK>
INFO: lockdep is turned off.
NMI backtrace for cpu 1
CPU: 1 UID: 0 PID: 30 Comm: khungtaskd Not tainted 6.13.0-syzkaller-08265-g9c5968db9e62 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
nmi_trigger_cpumask_backtrace+0x29c/0x300 lib/nmi_backtrace.c:62
trigger_all_cpu_backtrace include/linux/nmi.h:162 [inline]
check_hung_uninterruptible_tasks kernel/hung_task.c:236 [inline]
watchdog+0xf62/0x12b0 kernel/hung_task.c:399
kthread+0x3af/0x750 kernel/kthread.c:464
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
Sending NMI from CPU 1 to CPUs 0:
NMI backtrace for cpu 0
CPU: 0 UID: 0 PID: 6447 Comm: syz-executor Not tainted 6.13.0-syzkaller-08265-g9c5968db9e62 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
RIP: 0010:bytes_is_nonzero mm/kasan/generic.c:87 [inline]
RIP: 0010:memory_is_nonzero mm/kasan/generic.c:104 [inline]
RIP: 0010:memory_is_poisoned_n mm/kasan/generic.c:129 [inline]
RIP: 0010:memory_is_poisoned mm/kasan/generic.c:161 [inline]
RIP: 0010:check_region_inline mm/kasan/generic.c:180 [inline]
RIP: 0010:kasan_check_range+0x111/0x1a0 mm/kasan/generic.c:189
Code: 44 89 c2 e8 c1 ec ff ff 83 f0 01 5b 5d 41 5c c3 cc cc cc cc 48 85 d2 74 4f 48 01 ea eb 09 48 83 c0 01 48 39 d0 74 41 80 38 00 <74> f2 eb b2 41 bc 08 00 00 00 45 29 dc 49 8d 14 2c eb 0c 48 83 c0
RSP: 0018:ffffc90003f67a30 EFLAGS: 00000246
RAX: fffff520007ecf5e RBX: fffff520007ecf60 RCX: ffffffff846fc867
RDX: fffff520007ecf60 RSI: 0000000000000014 RDI: ffffc90003f67ae8
RBP: fffff520007ecf5d R08: 0000000000000001 R09: fffff520007ecf5f
R10: ffffc90003f67afb R11: 0000000000000000 R12: ffffc90003f67ae8
R13: 0000000000000092 R14: ffffc90003f67ae8 R15: 0000000000040257
FS: 00005555573ce500(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055bfd2a63600 CR3: 0000000031342000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<NMI>
</NMI>
<TASK>
__asan_memcpy+0x3c/0x60 mm/kasan/shadow.c:106
avc_has_perm_noaudit+0xe7/0x3a0 security/selinux/avc.c:1164
avc_has_perm+0xc1/0x1c0 security/selinux/avc.c:1195
inode_has_perm+0x168/0x1d0 security/selinux/hooks.c:1676
file_has_perm+0x2e8/0x350 security/selinux/hooks.c:1766
selinux_revalidate_file_permission security/selinux/hooks.c:3622 [inline]
selinux_file_permission+0x40d/0x580 security/selinux/hooks.c:3643
security_file_permission+0x1e3/0x210 security/security.c:2844
rw_verify_area+0xb9/0x680 fs/read_write.c:466
vfs_read+0x14c/0xbf0 fs/read_write.c:556
ksys_read+0x207/0x250 fs/read_write.c:708
Code: a8 ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb b5 e8 78 48 00 00 0f 1f 84 00 00 00 00 00 80 3d 21 04 19 00 00 74 17 31 c0 0f 05 <48> 3d 00 f0 ff ff 77 5b c3 66 2e 0f 1f 84 00 00 00 00 00 48 83 ec
RSP: 002b:00007fff60bf0cb8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
RAX: ffffffffffffffda RBX: 000055555743cd70 RCX: 00007fcc37d7d11d
RDX: 0000000000000400 RSI: 00005555573e77e0 RDI: 0000000000000021
RBP: 000055555743cd70 R08: 000000000000689e R09: 00005555573e75d8
R10: 0000000000000000 R11: 0000000000000246 R12: 000055555743ce78
R13: 0000000000000001 R14: 00007fff60bf0da0 R15: 000055555743c130
</TASK>
Tested on:
commit: 9c5968db Merge tag 'mm-stable-2025-01-26-14-59' of git..
kernel config: https://syzkaller.appspot.com/x/.config?x=45875e66f29f20
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
INFO: task hung in reg_process_self_managed_hints
INFO: task kworker/0:1:9 blocked for more than 143 seconds.
Not tainted 6.13.0-syzkaller-08265-g9c5968db9e62 #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:kworker/0:1 state:D stack:26592 pid:9 tgid:9 ppid:2 task_flags:0x4208060 flags:0x00004000
Workqueue: events reg_todo
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5377 [inline]
__schedule+0xf43/0x5890 kernel/sched/core.c:6764
__schedule_loop kernel/sched/core.c:6841 [inline]
schedule+0xe7/0x350 kernel/sched/core.c:6856
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6913
__mutex_lock_common kernel/locking/mutex.c:662 [inline]
__mutex_lock+0x6bd/0xb10 kernel/locking/mutex.c:730
class_wiphy_constructor include/net/cfg80211.h:6061 [inline]
reg_process_self_managed_hints+0x95/0x1f0 net/wireless/reg.c:3206
reg_todo+0x684/0x910 net/wireless/reg.c:3219
process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3236
process_scheduled_works kernel/workqueue.c:3317 [inline]
worker_thread+0x6c8/0xf00 kernel/workqueue.c:3398
kthread+0x3af/0x750 kernel/kthread.c:464
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
INFO: task kworker/u8:2:33 blocked for more than 143 seconds.
Not tainted 6.13.0-syzkaller-08265-g9c5968db9e62 #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:kworker/u8:2 state:D stack:21856 pid:33 tgid:33 ppid:2 task_flags:0x4208160 flags:0x00004000
Workqueue: ipv6_addrconf addrconf_dad_work
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5377 [inline]
__schedule+0xf43/0x5890 kernel/sched/core.c:6764
__schedule_loop kernel/sched/core.c:6841 [inline]
schedule+0xe7/0x350 kernel/sched/core.c:6856
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6913
__mutex_lock_common kernel/locking/mutex.c:662 [inline]
__mutex_lock+0x6bd/0xb10 kernel/locking/mutex.c:730
rtnl_net_lock include/linux/rtnetlink.h:129 [inline]
addrconf_dad_work+0x121/0x14e0 net/ipv6/addrconf.c:4190
process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3236
process_scheduled_works kernel/workqueue.c:3317 [inline]
worker_thread+0x6c8/0xf00 kernel/workqueue.c:3398
kthread+0x3af/0x750 kernel/kthread.c:464
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
INFO: task kworker/u8:6:3422 blocked for more than 143 seconds.
Not tainted 6.13.0-syzkaller-08265-g9c5968db9e62 #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:kworker/u8:6 state:D stack:22568 pid:3422 tgid:3422 ppid:2 task_flags:0x4208060 flags:0x00004000
Workqueue: netns cleanup_net
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5377 [inline]
__schedule+0xf43/0x5890 kernel/sched/core.c:6764
__schedule_loop kernel/sched/core.c:6841 [inline]
schedule+0xe7/0x350 kernel/sched/core.c:6856
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6913
__mutex_lock_common kernel/locking/mutex.c:662 [inline]
__mutex_lock+0x6bd/0xb10 kernel/locking/mutex.c:730
rtnl_acquire_if_cleanup_net net/core/dev.c:10272 [inline]
unregister_netdevice_many_notify+0x1a51/0x21a0 net/core/dev.c:11792
unregister_netdevice_many net/core/dev.c:11875 [inline]
unregister_netdevice_queue+0x307/0x3f0 net/core/dev.c:11741
unregister_netdevice include/linux/netdevice.h:3329 [inline]
_cfg80211_unregister_wdev+0x64b/0x830 net/wireless/core.c:1251
ieee80211_remove_interfaces+0x34f/0x720 net/mac80211/iface.c:2305
ieee80211_unregister_hw+0x55/0x3a0 net/mac80211/main.c:1681
mac80211_hwsim_del_radio drivers/net/wireless/virtual/mac80211_hwsim.c:5664 [inline]
hwsim_exit_net+0x3ad/0x7d0 drivers/net/wireless/virtual/mac80211_hwsim.c:6544
ops_exit_list+0xb0/0x180 net/core/net_namespace.c:172
cleanup_net+0x5c6/0xbf0 net/core/net_namespace.c:652
process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3236
process_scheduled_works kernel/workqueue.c:3317 [inline]
worker_thread+0x6c8/0xf00 kernel/workqueue.c:3398
kthread+0x3af/0x750 kernel/kthread.c:464
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
INFO: task kworker/u8:7:3498 blocked for more than 144 seconds.
Not tainted 6.13.0-syzkaller-08265-g9c5968db9e62 #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:kworker/u8:7 state:D stack:24000 pid:3498 tgid:3498 ppid:2 task_flags:0x4208060 flags:0x00004000
Workqueue: events_unbound linkwatch_event
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5377 [inline]
__schedule+0xf43/0x5890 kernel/sched/core.c:6764
__schedule_loop kernel/sched/core.c:6841 [inline]
schedule+0xe7/0x350 kernel/sched/core.c:6856
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6913
__mutex_lock_common kernel/locking/mutex.c:662 [inline]
__mutex_lock+0x6bd/0xb10 kernel/locking/mutex.c:730
linkwatch_event+0x51/0xc0 net/core/link_watch.c:285
process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3236
process_scheduled_works kernel/workqueue.c:3317 [inline]
worker_thread+0x6c8/0xf00 kernel/workqueue.c:3398
kthread+0x3af/0x750 kernel/kthread.c:464
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
INFO: task kworker/0:4:5901 blocked for more than 144 seconds.
Not tainted 6.13.0-syzkaller-08265-g9c5968db9e62 #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:kworker/0:4 state:D stack:27488 pid:5901 tgid:5901 ppid:2 task_flags:0x4208060 flags:0x00004000
Workqueue: events_power_efficient crda_timeout_work
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5377 [inline]
__schedule+0xf43/0x5890 kernel/sched/core.c:6764
__schedule_loop kernel/sched/core.c:6841 [inline]
schedule+0xe7/0x350 kernel/sched/core.c:6856
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6913
__mutex_lock_common kernel/locking/mutex.c:662 [inline]
__mutex_lock+0x6bd/0xb10 kernel/locking/mutex.c:730
crda_timeout_work+0x15/0x50 net/wireless/reg.c:540
process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3236
process_scheduled_works kernel/workqueue.c:3317 [inline]
worker_thread+0x6c8/0xf00 kernel/workqueue.c:3398
kthread+0x3af/0x750 kernel/kthread.c:464
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
INFO: task syz-executor:6463 blocked for more than 144 seconds.
Not tainted 6.13.0-syzkaller-08265-g9c5968db9e62 #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz-executor state:D stack:24288 pid:6463 tgid:6463 ppid:1 task_flags:0x400140 flags:0x00000004
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5377 [inline]
__schedule+0xf43/0x5890 kernel/sched/core.c:6764
__schedule_loop kernel/sched/core.c:6841 [inline]
schedule+0xe7/0x350 kernel/sched/core.c:6856
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6913
__mutex_lock_common kernel/locking/mutex.c:662 [inline]
__mutex_lock+0x6bd/0xb10 kernel/locking/mutex.c:730
rtnl_lock net/core/rtnetlink.c:79 [inline]
rtnl_nets_lock net/core/rtnetlink.c:335 [inline]
rtnl_newlink+0x5d9/0x1d60 net/core/rtnetlink.c:4020
rtnetlink_rcv_msg+0x95b/0xea0 net/core/rtnetlink.c:6911
netlink_rcv_skb+0x16b/0x440 net/netlink/af_netlink.c:2543
netlink_unicast_kernel net/netlink/af_netlink.c:1322 [inline]
netlink_unicast+0x53c/0x7f0 net/netlink/af_netlink.c:1348
netlink_sendmsg+0x8b8/0xd70 net/netlink/af_netlink.c:1892
sock_sendmsg_nosec net/socket.c:713 [inline]
__sock_sendmsg net/socket.c:728 [inline]
__sys_sendto+0x488/0x4f0 net/socket.c:2182
__do_sys_sendto net/socket.c:2189 [inline]
__se_sys_sendto net/socket.c:2185 [inline]
__x64_sys_sendto+0xe0/0x1c0 net/socket.c:2185
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f50e3780553
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RSP: 002b:00007fff7321e8d8 EFLAGS: 00000202 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 00007f50e4464620 RCX: 00007f50e3780553
RDX: 0000000000000054 RSI: 00007f50e4464670 RDI: 0000000000000003
RBP: 0000000000000001 R08: 00007fff7321e8f4 R09: 000000000000000c
R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000003
R13: 0000000000000000 R14: 00007f50e4464670 R15: 0000000000000000
</TASK>
INFO: task syz-executor:6521 blocked for more than 145 seconds.
Not tainted 6.13.0-syzkaller-08265-g9c5968db9e62 #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz-executor state:D stack:27608 pid:6521 tgid:6521 ppid:6517 task_flags:0x400140 flags:0x00004000
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5377 [inline]
__schedule+0xf43/0x5890 kernel/sched/core.c:6764
__schedule_loop kernel/sched/core.c:6841 [inline]
schedule+0xe7/0x350 kernel/sched/core.c:6856
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6913
__mutex_lock_common kernel/locking/mutex.c:662 [inline]
__mutex_lock+0x6bd/0xb10 kernel/locking/mutex.c:730
register_nexthop_notifier+0x1b/0x70 net/ipv4/nexthop.c:3878
ops_init+0x1df/0x5f0 net/core/net_namespace.c:138
setup_net+0x21f/0x860 net/core/net_namespace.c:362
copy_net_ns+0x2b4/0x6c0 net/core/net_namespace.c:516
create_new_namespaces+0x3ea/0xad0 kernel/nsproxy.c:110
unshare_nsproxy_namespaces+0xc0/0x1f0 kernel/nsproxy.c:228
ksys_unshare+0x45d/0xa40 kernel/fork.c:3331
__do_sys_unshare kernel/fork.c:3402 [inline]
__se_sys_unshare kernel/fork.c:3400 [inline]
__x64_sys_unshare+0x31/0x40 kernel/fork.c:3400
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7ff68297ff17
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RSP: 002b:00007ffec94d6498 EFLAGS: 00000246 ORIG_RAX: 0000000000000110
RAX: ffffffffffffffda RBX: 00007ff682b35f40 RCX: 00007ff68297ff17
RDX: 00007ff68297e719 RSI: 00007ffec94d6460 RDI: 0000000040000000
RBP: 00007ff682b36528 R08: 00007ff682afb9f0 R09: 00007ff682afb9f0
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000006
R13: 0000000000000006 R14: 0000000000000009 R15: 0000000000000000
</TASK>
INFO: lockdep is turned off.
NMI backtrace for cpu 1
CPU: 1 UID: 0 PID: 30 Comm: khungtaskd Not tainted 6.13.0-syzkaller-08265-g9c5968db9e62 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
nmi_cpu_backtrace+0x27b/0x390 lib/nmi_backtrace.c:113
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
nmi_trigger_cpumask_backtrace+0x29c/0x300 lib/nmi_backtrace.c:62
trigger_all_cpu_backtrace include/linux/nmi.h:162 [inline]
check_hung_uninterruptible_tasks kernel/hung_task.c:236 [inline]
watchdog+0xf62/0x12b0 kernel/hung_task.c:399
kthread+0x3af/0x750 kernel/kthread.c:464
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
Sending NMI from CPU 1 to CPUs 0:
NMI backtrace for cpu 0
CPU: 0 UID: 0 PID: 6447 Comm: syz-executor Not tainted 6.13.0-syzkaller-08265-g9c5968db9e62 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
RIP: 0010:bytes_is_nonzero mm/kasan/generic.c:87 [inline]
RIP: 0010:memory_is_nonzero mm/kasan/generic.c:104 [inline]
RIP: 0010:memory_is_poisoned_n mm/kasan/generic.c:129 [inline]
RIP: 0010:memory_is_poisoned mm/kasan/generic.c:161 [inline]
RIP: 0010:check_region_inline mm/kasan/generic.c:180 [inline]
RIP: 0010:kasan_check_range+0x111/0x1a0 mm/kasan/generic.c:189
Code: 44 89 c2 e8 c1 ec ff ff 83 f0 01 5b 5d 41 5c c3 cc cc cc cc 48 85 d2 74 4f 48 01 ea eb 09 48 83 c0 01 48 39 d0 74 41 80 38 00 <74> f2 eb b2 41 bc 08 00 00 00 45 29 dc 49 8d 14 2c eb 0c 48 83 c0
RSP: 0018:ffffc90003f67a30 EFLAGS: 00000246
RAX: fffff520007ecf5e RBX: fffff520007ecf60 RCX: ffffffff846fc867
RDX: fffff520007ecf60 RSI: 0000000000000014 RDI: ffffc90003f67ae8
RBP: fffff520007ecf5d R08: 0000000000000001 R09: fffff520007ecf5f
R10: ffffc90003f67afb R11: 0000000000000000 R12: ffffc90003f67ae8
R13: 0000000000000092 R14: ffffc90003f67ae8 R15: 0000000000040257
FS: 00005555573ce500(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055bfd2a63600 CR3: 0000000031342000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<NMI>
</NMI>
<TASK>
__asan_memcpy+0x3c/0x60 mm/kasan/shadow.c:106
avc_has_perm_noaudit+0xe7/0x3a0 security/selinux/avc.c:1164
avc_has_perm+0xc1/0x1c0 security/selinux/avc.c:1195
inode_has_perm+0x168/0x1d0 security/selinux/hooks.c:1676
file_has_perm+0x2e8/0x350 security/selinux/hooks.c:1766
selinux_revalidate_file_permission security/selinux/hooks.c:3622 [inline]
selinux_file_permission+0x40d/0x580 security/selinux/hooks.c:3643
security_file_permission+0x1e3/0x210 security/security.c:2844
rw_verify_area+0xb9/0x680 fs/read_write.c:466
vfs_read+0x14c/0xbf0 fs/read_write.c:556
ksys_read+0x207/0x250 fs/read_write.c:708
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fcc37d7d11d
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Code: a8 ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb b5 e8 78 48 00 00 0f 1f 84 00 00 00 00 00 80 3d 21 04 19 00 00 74 17 31 c0 0f 05 <48> 3d 00 f0 ff ff 77 5b c3 66 2e 0f 1f 84 00 00 00 00 00 48 83 ec
RSP: 002b:00007fff60bf0cb8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
RAX: ffffffffffffffda RBX: 000055555743cd70 RCX: 00007fcc37d7d11d
RDX: 0000000000000400 RSI: 00005555573e77e0 RDI: 0000000000000021
RBP: 000055555743cd70 R08: 000000000000689e R09: 00005555573e75d8
R10: 0000000000000000 R11: 0000000000000246 R12: 000055555743ce78
R13: 0000000000000001 R14: 00007fff60bf0da0 R15: 000055555743c130
</TASK>
Tested on:
commit: 9c5968db Merge tag 'mm-stable-2025-01-26-14-59' of git..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
console output: https://syzkaller.appspot.com/x/log.txt?x=1049f9f8580000
kernel config: https://syzkaller.appspot.com/x/.config?x=45875e66f29f20
dashboard link: https://syzkaller.appspot.com/bug?extid=6b52c2b24e341804a58c
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
Note: no patches were applied.
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syzbot
Jul 14, 2025, 6:25:18āÆPM7/14/25
to syzkall...@googlegroups.com
Auto-closing this bug as obsolete.
No recent activity, existing reproducers are no longer triggering the issue.
No recent activity, existing reproducers are no longer triggering the issue.
Reply all
Reply to author
Forward
0 new messages