Hello,
syzbot found the following issue on:
HEAD commit: ca1c9012c941 Linux 6.1.26
git tree: linux-6.1.y
console output:
https://syzkaller.appspot.com/x/log.txt?x=1013bf0c280000
kernel config:
https://syzkaller.appspot.com/x/.config?x=f749f501f45a424b
dashboard link:
https://syzkaller.appspot.com/bug?extid=4b8abd8f290c98754eee
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image:
https://storage.googleapis.com/syzbot-assets/fa9c42c5de02/disk-ca1c9012.raw.xz
vmlinux:
https://storage.googleapis.com/syzbot-assets/deeadb7af907/vmlinux-ca1c9012.xz
kernel image:
https://storage.googleapis.com/syzbot-assets/3b2d047683d5/bzImage-ca1c9012.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by:
syzbot+4b8abd...@syzkaller.appspotmail.com
ieee802154 phy0 wpan0: encryption failed: -22
ieee802154 phy1 wpan1: encryption failed: -22
==================================================================
BUG: KASAN: use-after-free in skb_update_prio net/core/dev.c:3904 [inline]
BUG: KASAN: use-after-free in __dev_queue_xmit+0x7b4/0x3c20 net/core/dev.c:4184
Read of size 8 at addr ffff888091984b90 by task aoe_tx0/1255
CPU: 1 PID: 1255 Comm: aoe_tx0 Not tainted 6.1.26-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106
print_address_description mm/kasan/report.c:284 [inline]
print_report+0x15f/0x4f0 mm/kasan/report.c:395
kasan_report+0x136/0x160 mm/kasan/report.c:495
skb_update_prio net/core/dev.c:3904 [inline]
__dev_queue_xmit+0x7b4/0x3c20 net/core/dev.c:4184
dev_queue_xmit include/linux/netdevice.h:3017 [inline]
tx+0x66/0x100 drivers/block/aoe/aoenet.c:63
kthread+0x234/0x440 drivers/block/aoe/aoecmd.c:1229
kthread+0x26e/0x300 kernel/kthread.c:376
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306
</TASK>
Allocated by task 19019:
kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x4b/0x70 mm/kasan/common.c:52
____kasan_kmalloc mm/kasan/common.c:374 [inline]
__kasan_kmalloc+0x97/0xb0 mm/kasan/common.c:383
kasan_kmalloc include/linux/kasan.h:211 [inline]
__do_kmalloc_node mm/slab_common.c:955 [inline]
__kmalloc_node+0xb3/0x230 mm/slab_common.c:962
kmalloc_node include/linux/slab.h:579 [inline]
kvmalloc_node+0x6e/0x180 mm/util.c:581
kvmalloc include/linux/slab.h:706 [inline]
kvzalloc include/linux/slab.h:714 [inline]
alloc_netdev_mqs+0x85/0xeb0 net/core/dev.c:10583
sixpack_open+0xe6/0xa10 drivers/net/hamradio/6pack.c:558
tty_ldisc_open drivers/tty/tty_ldisc.c:433 [inline]
tty_set_ldisc+0x37a/0x680 drivers/tty/tty_ldisc.c:558
tty_ioctl+0xa61/0xbd0 drivers/tty/tty_io.c:2709
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:870 [inline]
__se_sys_ioctl+0xf1/0x160 fs/ioctl.c:856
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Freed by task 19018:
kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x4b/0x70 mm/kasan/common.c:52
kasan_save_free_info+0x27/0x40 mm/kasan/generic.c:516
____kasan_slab_free+0xd6/0x120 mm/kasan/common.c:236
kasan_slab_free include/linux/kasan.h:177 [inline]
slab_free_hook mm/slub.c:1724 [inline]
slab_free_freelist_hook mm/slub.c:1750 [inline]
slab_free mm/slub.c:3661 [inline]
__kmem_cache_free+0x25c/0x3c0 mm/slub.c:3674
device_release+0x91/0x1c0
kobject_cleanup lib/kobject.c:681 [inline]
kobject_release lib/kobject.c:712 [inline]
kref_put include/linux/kref.h:65 [inline]
kobject_put+0x224/0x460 lib/kobject.c:729
tty_ldisc_kill+0xa6/0x1a0 drivers/tty/tty_ldisc.c:608
tty_ldisc_release+0x19d/0x200 drivers/tty/tty_ldisc.c:776
tty_release_struct+0x27/0xd0 drivers/tty/tty_io.c:1689
tty_release+0xcfb/0x12a0 drivers/tty/tty_io.c:1860
__fput+0x3b7/0x890 fs/file_table.c:320
task_work_run+0x246/0x300 kernel/task_work.c:179
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop+0xd9/0x100 kernel/entry/common.c:171
exit_to_user_mode_prepare+0xb1/0x140 kernel/entry/common.c:204
__syscall_exit_to_user_mode_work kernel/entry/common.c:286 [inline]
syscall_exit_to_user_mode+0x60/0x270 kernel/entry/common.c:297
do_syscall_64+0x49/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd
The buggy address belongs to the object at ffff888091984000
which belongs to the cache kmalloc-cg-8k of size 8192
The buggy address is located 2960 bytes inside of
8192-byte region [ffff888091984000, ffff888091986000)
The buggy address belongs to the physical page:
page:ffffea0002466000 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x91980
head:ffffea0002466000 order:3 compound_mapcount:0 compound_pincount:0
memcg:ffff88807b004961
flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000010200 ffffea000079a600 dead000000000002 ffff88801244c3c0
raw: 0000000000000000 0000000080020002 00000001ffffffff ffff88807b004961
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0x1d60c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_RETRY_MAYFAIL|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 14797, tgid 14796 (syz-executor.2), ts 1988818941704, free_ts 1988790321111
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x18d/0x1b0 mm/page_alloc.c:2533
prep_new_page mm/page_alloc.c:2540 [inline]
get_page_from_freelist+0x32ed/0x3480 mm/page_alloc.c:4292
__alloc_pages+0x28d/0x770 mm/page_alloc.c:5559
alloc_slab_page+0x6a/0x150 mm/slub.c:1794
allocate_slab mm/slub.c:1939 [inline]
new_slab+0x84/0x2d0 mm/slub.c:1992
___slab_alloc+0xa71/0x1080 mm/slub.c:3180
__slab_alloc mm/slub.c:3279 [inline]
slab_alloc_node mm/slub.c:3364 [inline]
__kmem_cache_alloc_node+0x19f/0x260 mm/slub.c:3437
__do_kmalloc_node mm/slab_common.c:954 [inline]
__kmalloc_node+0xa2/0x230 mm/slab_common.c:962
kmalloc_node include/linux/slab.h:579 [inline]
kvmalloc_node+0x6e/0x180 mm/util.c:581
kvmalloc include/linux/slab.h:706 [inline]
kvzalloc include/linux/slab.h:714 [inline]
alloc_netdev_mqs+0x85/0xeb0 net/core/dev.c:10583
sixpack_open+0xe6/0xa10 drivers/net/hamradio/6pack.c:558
tty_ldisc_open drivers/tty/tty_ldisc.c:433 [inline]
tty_set_ldisc+0x37a/0x680 drivers/tty/tty_ldisc.c:558
tty_ioctl+0xa61/0xbd0 drivers/tty/tty_io.c:2709
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:870 [inline]
__se_sys_ioctl+0xf1/0x160 fs/ioctl.c:856
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1460 [inline]
free_pcp_prepare mm/page_alloc.c:1510 [inline]
free_unref_page_prepare+0xf63/0x1120 mm/page_alloc.c:3388
free_unref_page+0x98/0x570 mm/page_alloc.c:3484
free_slab mm/slub.c:2031 [inline]
discard_slab mm/slub.c:2037 [inline]
__unfreeze_partials+0x1b7/0x210 mm/slub.c:2586
put_cpu_partial+0x116/0x180 mm/slub.c:2662
qlist_free_all+0x22/0x60 mm/kasan/quarantine.c:187
kasan_quarantine_reduce+0x162/0x180 mm/kasan/quarantine.c:294
__kasan_slab_alloc+0x1f/0x70 mm/kasan/common.c:305
kasan_slab_alloc include/linux/kasan.h:201 [inline]
slab_post_alloc_hook+0x50/0x370 mm/slab.h:737
slab_alloc_node mm/slub.c:3398 [inline]
slab_alloc mm/slub.c:3406 [inline]
__kmem_cache_alloc_lru mm/slub.c:3413 [inline]
kmem_cache_alloc+0x10c/0x2d0 mm/slub.c:3422
sk_prot_alloc+0x58/0x200 net/core/sock.c:2026
sk_alloc+0x36/0x350 net/core/sock.c:2085
rds_create+0x83/0x4a0 net/rds/af_rds.c:706
__sock_create+0x460/0x8d0 net/socket.c:1520
sock_create net/socket.c:1571 [inline]
__sys_socket_create net/socket.c:1608 [inline]
__sys_socket+0x136/0x3a0 net/socket.c:1636
__do_sys_socket net/socket.c:1649 [inline]
__se_sys_socket net/socket.c:1647 [inline]
__x64_sys_socket+0x76/0x80 net/socket.c:1647
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
Memory state around the buggy address:
ffff888091984a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888091984b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888091984b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888091984c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888091984c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This report is generated by a bot. It may contain errors.
See
https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at
syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to change bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup