KASAN: slab-out-of-bounds Read in print_lock
7 views
Skip to first unread message
syzbot
Jul 9, 2022, 4:47:25 AM7/9/22
to syzkaller-upst...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 90557fa89d3e dt-bindings: usb: atmel: Add Microchip LAN966..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing
console output: https://syzkaller.appspot.com/x/log.txt?x=14a4fa84080000
kernel config: https://syzkaller.appspot.com/x/.config?x=33f1eaa5b20a699
dashboard link: https://syzkaller.appspot.com/bug?extid=d97742a56cd87b253621
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
CC: [ebie...@xmission.com kees...@chromium.org linux-...@vger.kernel.org linux-...@vger.kernel.org linu...@kvack.org vi...@zeniv.linux.org.uk linu...@vger.kernel.org]
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+d97742...@syzkaller.appspotmail.com
BUG: MAX_LOCK_DEPTH too low!
turning off the locking correctness validator.
depth: 601 max: 48!
601 locks held by dhcpcd-run-hook/17081:
#0: ffff88810ee5c208 (&sig->cred_guard_mutex){+.+.}-{3:3}, at: prepare_bprm_creds fs/exec.c:1471 [inline]
#0: ffff88810ee5c208 (&sig->cred_guard_mutex){+.+.}-{3:3}, at: bprm_execve+0xb2/0x1960 fs/exec.c:1806
#1: ffff88810ee5c2a0 (&sig->exec_update_lock){+.+.}-{3:3}, at: exec_mmap fs/exec.c:994 [inline]
#1: ffff88810ee5c2a0 (&sig->exec_update_lock){+.+.}-{3:3}, at: begin_new_exec+0xca8/0x2ec0 fs/exec.c:1297
#2: ffff88811692d528 (&mm->mmap_lock#2){++++}-{3:3}, at: mmap_write_lock include/linux/mmap_lock.h:71 [inline]
#2: ffff88811692d528 (&mm->mmap_lock#2){++++}-{3:3}, at: exit_mmap+0x112/0x4a0 mm/mmap.c:3147
#3: ffffffff8ba45218 (&obj_hash[i].lock){-.-.}-{2:2}, at: __debug_check_no_obj_freed lib/debugobjects.c:977 [inline]
#3: ffffffff8ba45218 (&obj_hash[i].lock){-.-.}-{2:2}, at: debug_check_no_obj_freed+0xc7/0x420 lib/debugobjects.c:1020
#4: ffffffff8b9b0ca0 (&obj_hash[i].lock){-.-.}-{2:2}, at: __debug_check_no_obj_freed lib/debugobjects.c:977 [inline]
#4: ffffffff8b9b0ca0 (&obj_hash[i].lock){-.-.}-{2:2}, at: debug_check_no_obj_freed+0xc7/0x420 lib/debugobjects.c:1020
#5: ffff888100218688 (&memcg->move_lock){..-.}-{2:2}, at: folio_memcg_lock+0x12c/0x6c0 mm/memcontrol.c:2052
#6: ffff8881f6937b58 (&rq->__lock){-.-.}-{2:2}, at: raw_spin_rq_lock_nested kernel/sched/core.c:544 [inline]
#6: ffff8881f6937b58 (&rq->__lock){-.-.}-{2:2}, at: raw_spin_rq_lock kernel/sched/sched.h:1304 [inline]
#6: ffff8881f6937b58 (&rq->__lock){-.-.}-{2:2}, at: rq_lock kernel/sched/sched.h:1602 [inline]
#6: ffff8881f6937b58 (&rq->__lock){-.-.}-{2:2}, at: ttwu_queue kernel/sched/core.c:3870 [inline]
#6: ffff8881f6937b58 (&rq->__lock){-.-.}-{2:2}, at: try_to_wake_up+0x4eb/0x1410 kernel/sched/core.c:4195
#7: ffff8881f6937b58 (&rq->__lock){-.-.}-{2:2}, at: raw_spin_rq_lock_nested kernel/sched/core.c:544 [inline]
#7: ffff8881f6937b58 (&rq->__lock){-.-.}-{2:2}, at: raw_spin_rq_lock kernel/sched/sched.h:1304 [inline]
#7: ffff8881f6937b58 (&rq->__lock){-.-.}-{2:2}, at: rq_lock kernel/sched/sched.h:1602 [inline]
#7: ffff8881f6937b58 (&rq->__lock){-.-.}-{2:2}, at: ttwu_queue kernel/sched/core.c:3870 [inline]
#7: ffff8881f6937b58 (&rq->__lock){-.-.}-{2:2}, at: try_to_wake_up+0x4eb/0x1410 kernel/sched/core.c:4195
#8: ffff88810ba8c230 (&p->pi_lock){-.-.}-{2:2}, at: try_to_wake_up+0xa4/0x1410 kernel/sched/core.c:4079
#9: ffff8881f6937b58 (&rq->__lock){-.-.}-{2:2}, at: raw_spin_rq_lock_nested kernel/sched/core.c:544 [inline]
#9: ffff8881f6937b58 (&rq->__lock){-.-.}-{2:2}, at: raw_spin_rq_lock kernel/sched/sched.h:1304 [inline]
#9: ffff8881f6937b58 (&rq->__lock){-.-.}-{2:2}, at: rq_lock kernel/sched/sched.h:1602 [inline]
#9: ffff8881f6937b58 (&rq->__lock){-.-.}-{2:2}, at: ttwu_queue kernel/sched/core.c:3870 [inline]
#9: ffff8881f6937b58 (&rq->__lock){-.-.}-{2:2}, at: try_to_wake_up+0x4eb/0x1410 kernel/sched/core.c:4195
#10: ffff8881f6837cd8 (&cfs_rq->removed.lock){-.-.}-{2:2}, at: update_cfs_rq_load_avg kernel/sched/fair.c:3752 [inline]
#10: ffff8881f6837cd8 (&cfs_rq->removed.lock){-.-.}-{2:2}, at: update_load_avg+0xa44/0x1d10 kernel/sched/fair.c:3913
#11: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#12: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#13: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#14: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#15: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#16: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#17: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#18: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#19: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#20: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#21: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#22: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#23: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#24: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#25: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#26: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#27: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#28: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#29: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#30: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#31: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#32: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#33: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#34: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#35: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#36: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#37: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#38: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#39: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#40: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#41: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#42: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#43: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#44: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#45: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#46: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#47: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#48: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#49: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#50: 0000000000000005 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#51: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#52: ffffffff89c77100 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#53: <RELEASED>
#54: <RELEASED>
#55: <RELEASED>
#56: <RELEASED>
#57: <RELEASED>
#58: 0000000000000000 (tunnel4_mutex){+.+.}-{3:3}, at: lock_classes+0x17580/0x180020
#59: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#60: ffffffff89c7d120 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0xffffffffffffffff
#61: <RELEASED>
#62: <RELEASED>
#63: ffff888111814cd8 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0xffff888111814cd8
#64: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#65: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x2
#66: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#67: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0xc350
#68: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#69: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#70: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#71: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#72: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#73: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#74: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#75: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#76: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#77: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#78: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#79: 0000000000000000 (pool_lock){-.-.}-{2:2}, at: 0x0
#80: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#81: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#82: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#83: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#84: 00007f06ea5b2800 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#85: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#86: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}
, at: 0x0
#87: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#88: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x1
#89: 0000000000000007 (&bdev->bd_fsfreeze_mutex){+.+.}-{3:3}, at: 0x34000000340
#90: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x7
#91: 000000000000037f (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#92: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#93: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#94: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#95: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#96: 0000560db1759e00 (kernfs_idr_lock){+.+.}-{2:2}, at: 0x560db1759bd0
#97: ffff000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x2f2f2f2f2f2f2f2f
#98: 0000000000000000 (kernfs_idr_lock){+.+.}-{2:2}, at: 0x0
#99: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#100: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#101: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#102: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#103: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#104: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x3
#105: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#106: 54415000736b6f6f (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x682d6e75722d6463
#107: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#108: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#109: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#110: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#111: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#112:
==================================================================
BUG: KASAN: slab-out-of-bounds in hlock_class kernel/locking/lockdep.c:222 [inline]
BUG: KASAN: slab-out-of-bounds in print_lock+0x118/0x120 kernel/locking/lockdep.c:766
Read of size 4 at addr ffff888111815498 by task dhcpcd-run-hook/17081
CPU: 1 PID: 17081 Comm: dhcpcd-run-hook Not tainted 5.19.0-rc4-syzkaller-00099-g90557fa89d3e #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/29/2022
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
print_address_description.constprop.0.cold+0xeb/0x495 mm/kasan/report.c:313
print_report mm/kasan/report.c:429 [inline]
kasan_report.cold+0xf4/0x1c6 mm/kasan/report.c:491
hlock_class kernel/locking/lockdep.c:222 [inline]
print_lock+0x118/0x120 kernel/locking/lockdep.c:766
lockdep_print_held_locks+0x110/0x119 kernel/locking/lockdep.c:795
__lock_acquire+0x199b/0x5660 kernel/locking/lockdep.c:5069
lock_acquire kernel/locking/lockdep.c:5665 [inline]
lock_acquire+0x1ab/0x570 kernel/locking/lockdep.c:5630
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0x39/0x50 kernel/locking/spinlock.c:162
__debug_check_no_obj_freed lib/debugobjects.c:977 [inline]
debug_check_no_obj_freed+0xc7/0x420 lib/debugobjects.c:1020
free_pages_prepare mm/page_alloc.c:1377 [inline]
free_pcp_prepare+0x2de/0xb80 mm/page_alloc.c:1421
free_unref_page_prepare mm/page_alloc.c:3343 [inline]
free_unref_page_list+0x170/0xd70 mm/page_alloc.c:3475
release_pages+0x870/0x20f0 mm/swap.c:980
tlb_batch_pages_flush+0xa8/0x1a0 mm/mmu_gather.c:58
tlb_flush_mmu_free mm/mmu_gather.c:255 [inline]
tlb_flush_mmu mm/mmu_gather.c:262 [inline]
tlb_finish_mmu+0x147/0x7e0 mm/mmu_gather.c:353
exit_mmap+0x1de/0x4a0 mm/mmap.c:3164
__mmput kernel/fork.c:1187 [inline]
mmput+0xcc/0x410 kernel/fork.c:1208
exec_mmap fs/exec.c:1038 [inline]
begin_new_exec+0x101b/0x2ec0 fs/exec.c:1297
load_elf_binary+0x15a3/0x4ec0 fs/binfmt_elf.c:1002
search_binary_handler fs/exec.c:1728 [inline]
exec_binprm fs/exec.c:1769 [inline]
bprm_execve fs/exec.c:1838 [inline]
bprm_execve+0x7ef/0x1960 fs/exec.c:1800
do_execveat_common+0x727/0x890 fs/exec.c:1943
do_execve fs/exec.c:2017 [inline]
__do_sys_execve fs/exec.c:2093 [inline]
__se_sys_execve fs/exec.c:2088 [inline]
__x64_sys_execve+0x8f/0xc0 fs/exec.c:2088
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x46/0xb0
RIP: 0033:0x7f06ea71c337
Code: Unable to access opcode bytes at RIP 0x7f06ea71c30d.
RSP: 002b:00007ffdf6ea0008 EFLAGS: 00000246 ORIG_RAX: 000000000000003b
RAX: ffffffffffffffda RBX: 0000560db1759e60 RCX: 00007f06ea71c337
RDX: 0000560db1759e80 RSI: 0000560db1759e60 RDI: 0000560db1759f08
RBP: 0000560db1759f08 R08: 0000560db1759f0d R09: 0000000000000000
R10: 0000000000000008 R11: 0000000000000246 R12: 0000560db1759e80
R13: 00007f06ea8c1ff4 R14: 0000560db1759e80 R15: 0000000000000000
</TASK>
Allocated by task 17070:
kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
kasan_set_track mm/kasan/common.c:45 [inline]
set_alloc_info mm/kasan/common.c:436 [inline]
__kasan_slab_alloc+0x66/0x80 mm/kasan/common.c:469
kasan_slab_alloc include/linux/kasan.h:224 [inline]
slab_post_alloc_hook mm/slab.h:750 [inline]
slab_alloc_node mm/slub.c:3243 [inline]
kmem_cache_alloc_node+0x25e/0x4b0 mm/slub.c:3293
alloc_task_struct_node kernel/fork.c:172 [inline]
dup_task_struct kernel/fork.c:969 [inline]
copy_process+0x5c4/0x6dd0 kernel/fork.c:2071
kernel_clone+0xe7/0xab0 kernel/fork.c:2655
__do_sys_clone+0xba/0x100 kernel/fork.c:2789
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x46/0xb0
The buggy address belongs to the object at ffff888111813900
which belongs to the cache task_struct of size 7040
The buggy address is located 24 bytes to the right of
7040-byte region [ffff888111813900, ffff888111815480)
The buggy address belongs to the physical page:
page:ffffea0004460400 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x111810
head:ffffea0004460400 order:3 compound_mapcount:0 compound_pincount:0
memcg:ffff888109ebbd81
flags: 0x200000000010200(slab|head|node=0|zone=2)
raw: 0200000000010200 0000000000000000 dead000000000122 ffff88810016b280
raw: 0000000000000000 0000000000040004 00000001ffffffff ffff888109ebbd81
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0x1d20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 17077, tgid 17077 (dhcpcd-run-hook), ts 1050404477757, free_ts 1050392857231
prep_new_page mm/page_alloc.c:2456 [inline]
get_page_from_freelist+0x138c/0x27a0 mm/page_alloc.c:4198
__alloc_pages+0x1c7/0x510 mm/page_alloc.c:5426
alloc_pages+0x1aa/0x310 mm/mempolicy.c:2272
alloc_slab_page mm/slub.c:1824 [inline]
allocate_slab+0x26c/0x3c0 mm/slub.c:1969
new_slab mm/slub.c:2029 [inline]
___slab_alloc+0x98f/0xda0 mm/slub.c:3031
__slab_alloc.constprop.0+0x4d/0xa0 mm/slub.c:3118
slab_alloc_node mm/slub.c:3209 [inline]
kmem_cache_alloc_node+0x397/0x4b0 mm/slub.c:3293
alloc_task_struct_node kernel/fork.c:172 [inline]
dup_task_struct kernel/fork.c:969 [inline]
copy_process+0x5c4/0x6dd0 kernel/fork.c:2071
kernel_clone+0xe7/0xab0 kernel/fork.c:2655
__do_sys_clone+0xba/0x100 kernel/fork.c:2789
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x46/0xb0
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1371 [inline]
free_pcp_prepare+0x537/0xb80 mm/page_alloc.c:1421
free_unref_page_prepare mm/page_alloc.c:3343 [inline]
free_unref_page+0x19/0x5a0 mm/page_alloc.c:3438
device_release+0x9f/0x240 drivers/base/core.c:2230
kobject_cleanup lib/kobject.c:673 [inline]
kobject_release lib/kobject.c:704 [inline]
kref_put include/linux/kref.h:65 [inline]
kobject_put+0x1c8/0x540 lib/kobject.c:721
put_device+0x1b/0x30 drivers/base/core.c:3524
ath9k_htc_probe_device+0x1c7/0x1f00 drivers/net/wireless/ath/ath9k/htc_drv_init.c:976
ath9k_htc_hw_init+0x31/0x60 drivers/net/wireless/ath/ath9k/htc_hst.c:508
ath9k_hif_usb_firmware_cb+0x274/0x530 drivers/net/wireless/ath/ath9k/hif_usb.c:1245
request_firmware_work_func+0x12c/0x230 drivers/base/firmware_loader/main.c:1107
process_one_work+0x996/0x1610 kernel/workqueue.c:2289
worker_thread+0x665/0x1080 kernel/workqueue.c:2436
kthread+0x2ef/0x3a0 kernel/kthread.c:376
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302
Memory state around the buggy address:
ffff888111815380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff888111815400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888111815480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff888111815500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff888111815580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following issue on:
HEAD commit: 90557fa89d3e dt-bindings: usb: atmel: Add Microchip LAN966..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing
console output: https://syzkaller.appspot.com/x/log.txt?x=14a4fa84080000
kernel config: https://syzkaller.appspot.com/x/.config?x=33f1eaa5b20a699
dashboard link: https://syzkaller.appspot.com/bug?extid=d97742a56cd87b253621
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
CC: [ebie...@xmission.com kees...@chromium.org linux-...@vger.kernel.org linux-...@vger.kernel.org linu...@kvack.org vi...@zeniv.linux.org.uk linu...@vger.kernel.org]
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+d97742...@syzkaller.appspotmail.com
BUG: MAX_LOCK_DEPTH too low!
turning off the locking correctness validator.
depth: 601 max: 48!
601 locks held by dhcpcd-run-hook/17081:
#0: ffff88810ee5c208 (&sig->cred_guard_mutex){+.+.}-{3:3}, at: prepare_bprm_creds fs/exec.c:1471 [inline]
#0: ffff88810ee5c208 (&sig->cred_guard_mutex){+.+.}-{3:3}, at: bprm_execve+0xb2/0x1960 fs/exec.c:1806
#1: ffff88810ee5c2a0 (&sig->exec_update_lock){+.+.}-{3:3}, at: exec_mmap fs/exec.c:994 [inline]
#1: ffff88810ee5c2a0 (&sig->exec_update_lock){+.+.}-{3:3}, at: begin_new_exec+0xca8/0x2ec0 fs/exec.c:1297
#2: ffff88811692d528 (&mm->mmap_lock#2){++++}-{3:3}, at: mmap_write_lock include/linux/mmap_lock.h:71 [inline]
#2: ffff88811692d528 (&mm->mmap_lock#2){++++}-{3:3}, at: exit_mmap+0x112/0x4a0 mm/mmap.c:3147
#3: ffffffff8ba45218 (&obj_hash[i].lock){-.-.}-{2:2}, at: __debug_check_no_obj_freed lib/debugobjects.c:977 [inline]
#3: ffffffff8ba45218 (&obj_hash[i].lock){-.-.}-{2:2}, at: debug_check_no_obj_freed+0xc7/0x420 lib/debugobjects.c:1020
#4: ffffffff8b9b0ca0 (&obj_hash[i].lock){-.-.}-{2:2}, at: __debug_check_no_obj_freed lib/debugobjects.c:977 [inline]
#4: ffffffff8b9b0ca0 (&obj_hash[i].lock){-.-.}-{2:2}, at: debug_check_no_obj_freed+0xc7/0x420 lib/debugobjects.c:1020
#5: ffff888100218688 (&memcg->move_lock){..-.}-{2:2}, at: folio_memcg_lock+0x12c/0x6c0 mm/memcontrol.c:2052
#6: ffff8881f6937b58 (&rq->__lock){-.-.}-{2:2}, at: raw_spin_rq_lock_nested kernel/sched/core.c:544 [inline]
#6: ffff8881f6937b58 (&rq->__lock){-.-.}-{2:2}, at: raw_spin_rq_lock kernel/sched/sched.h:1304 [inline]
#6: ffff8881f6937b58 (&rq->__lock){-.-.}-{2:2}, at: rq_lock kernel/sched/sched.h:1602 [inline]
#6: ffff8881f6937b58 (&rq->__lock){-.-.}-{2:2}, at: ttwu_queue kernel/sched/core.c:3870 [inline]
#6: ffff8881f6937b58 (&rq->__lock){-.-.}-{2:2}, at: try_to_wake_up+0x4eb/0x1410 kernel/sched/core.c:4195
#7: ffff8881f6937b58 (&rq->__lock){-.-.}-{2:2}, at: raw_spin_rq_lock_nested kernel/sched/core.c:544 [inline]
#7: ffff8881f6937b58 (&rq->__lock){-.-.}-{2:2}, at: raw_spin_rq_lock kernel/sched/sched.h:1304 [inline]
#7: ffff8881f6937b58 (&rq->__lock){-.-.}-{2:2}, at: rq_lock kernel/sched/sched.h:1602 [inline]
#7: ffff8881f6937b58 (&rq->__lock){-.-.}-{2:2}, at: ttwu_queue kernel/sched/core.c:3870 [inline]
#7: ffff8881f6937b58 (&rq->__lock){-.-.}-{2:2}, at: try_to_wake_up+0x4eb/0x1410 kernel/sched/core.c:4195
#8: ffff88810ba8c230 (&p->pi_lock){-.-.}-{2:2}, at: try_to_wake_up+0xa4/0x1410 kernel/sched/core.c:4079
#9: ffff8881f6937b58 (&rq->__lock){-.-.}-{2:2}, at: raw_spin_rq_lock_nested kernel/sched/core.c:544 [inline]
#9: ffff8881f6937b58 (&rq->__lock){-.-.}-{2:2}, at: raw_spin_rq_lock kernel/sched/sched.h:1304 [inline]
#9: ffff8881f6937b58 (&rq->__lock){-.-.}-{2:2}, at: rq_lock kernel/sched/sched.h:1602 [inline]
#9: ffff8881f6937b58 (&rq->__lock){-.-.}-{2:2}, at: ttwu_queue kernel/sched/core.c:3870 [inline]
#9: ffff8881f6937b58 (&rq->__lock){-.-.}-{2:2}, at: try_to_wake_up+0x4eb/0x1410 kernel/sched/core.c:4195
#10: ffff8881f6837cd8 (&cfs_rq->removed.lock){-.-.}-{2:2}, at: update_cfs_rq_load_avg kernel/sched/fair.c:3752 [inline]
#10: ffff8881f6837cd8 (&cfs_rq->removed.lock){-.-.}-{2:2}, at: update_load_avg+0xa44/0x1d10 kernel/sched/fair.c:3913
#11: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#12: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#13: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#14: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#15: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#16: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#17: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#18: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#19: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#20: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#21: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#22: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#23: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#24: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#25: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#26: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#27: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#28: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#29: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#30: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#31: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#32: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#33: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#34: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#35: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#36: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#37: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#38: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#39: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#40: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#41: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#42: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#43: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#44: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#45: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#46: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#47: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#48: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#49: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#50: 0000000000000005 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#51: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#52: ffffffff89c77100 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#53: <RELEASED>
#54: <RELEASED>
#55: <RELEASED>
#56: <RELEASED>
#57: <RELEASED>
#58: 0000000000000000 (tunnel4_mutex){+.+.}-{3:3}, at: lock_classes+0x17580/0x180020
#59: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#60: ffffffff89c7d120 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0xffffffffffffffff
#61: <RELEASED>
#62: <RELEASED>
#63: ffff888111814cd8 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0xffff888111814cd8
#64: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#65: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x2
#66: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#67: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0xc350
#68: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#69: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#70: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#71: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#72: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#73: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#74: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#75: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#76: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#77: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#78: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#79: 0000000000000000 (pool_lock){-.-.}-{2:2}, at: 0x0
#80: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#81: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#82: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#83: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#84: 00007f06ea5b2800 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#85: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#86: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}
, at: 0x0
#87: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#88: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x1
#89: 0000000000000007 (&bdev->bd_fsfreeze_mutex){+.+.}-{3:3}, at: 0x34000000340
#90: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x7
#91: 000000000000037f (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#92: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#93: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#94: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#95: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#96: 0000560db1759e00 (kernfs_idr_lock){+.+.}-{2:2}, at: 0x560db1759bd0
#97: ffff000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x2f2f2f2f2f2f2f2f
#98: 0000000000000000 (kernfs_idr_lock){+.+.}-{2:2}, at: 0x0
#99: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#100: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#101: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#102: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#103: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#104: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x3
#105: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#106: 54415000736b6f6f (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x682d6e75722d6463
#107: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#108: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#109: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#110: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#111: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
#112:
==================================================================
BUG: KASAN: slab-out-of-bounds in hlock_class kernel/locking/lockdep.c:222 [inline]
BUG: KASAN: slab-out-of-bounds in print_lock+0x118/0x120 kernel/locking/lockdep.c:766
Read of size 4 at addr ffff888111815498 by task dhcpcd-run-hook/17081
CPU: 1 PID: 17081 Comm: dhcpcd-run-hook Not tainted 5.19.0-rc4-syzkaller-00099-g90557fa89d3e #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/29/2022
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
print_address_description.constprop.0.cold+0xeb/0x495 mm/kasan/report.c:313
print_report mm/kasan/report.c:429 [inline]
kasan_report.cold+0xf4/0x1c6 mm/kasan/report.c:491
hlock_class kernel/locking/lockdep.c:222 [inline]
print_lock+0x118/0x120 kernel/locking/lockdep.c:766
lockdep_print_held_locks+0x110/0x119 kernel/locking/lockdep.c:795
__lock_acquire+0x199b/0x5660 kernel/locking/lockdep.c:5069
lock_acquire kernel/locking/lockdep.c:5665 [inline]
lock_acquire+0x1ab/0x570 kernel/locking/lockdep.c:5630
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0x39/0x50 kernel/locking/spinlock.c:162
__debug_check_no_obj_freed lib/debugobjects.c:977 [inline]
debug_check_no_obj_freed+0xc7/0x420 lib/debugobjects.c:1020
free_pages_prepare mm/page_alloc.c:1377 [inline]
free_pcp_prepare+0x2de/0xb80 mm/page_alloc.c:1421
free_unref_page_prepare mm/page_alloc.c:3343 [inline]
free_unref_page_list+0x170/0xd70 mm/page_alloc.c:3475
release_pages+0x870/0x20f0 mm/swap.c:980
tlb_batch_pages_flush+0xa8/0x1a0 mm/mmu_gather.c:58
tlb_flush_mmu_free mm/mmu_gather.c:255 [inline]
tlb_flush_mmu mm/mmu_gather.c:262 [inline]
tlb_finish_mmu+0x147/0x7e0 mm/mmu_gather.c:353
exit_mmap+0x1de/0x4a0 mm/mmap.c:3164
__mmput kernel/fork.c:1187 [inline]
mmput+0xcc/0x410 kernel/fork.c:1208
exec_mmap fs/exec.c:1038 [inline]
begin_new_exec+0x101b/0x2ec0 fs/exec.c:1297
load_elf_binary+0x15a3/0x4ec0 fs/binfmt_elf.c:1002
search_binary_handler fs/exec.c:1728 [inline]
exec_binprm fs/exec.c:1769 [inline]
bprm_execve fs/exec.c:1838 [inline]
bprm_execve+0x7ef/0x1960 fs/exec.c:1800
do_execveat_common+0x727/0x890 fs/exec.c:1943
do_execve fs/exec.c:2017 [inline]
__do_sys_execve fs/exec.c:2093 [inline]
__se_sys_execve fs/exec.c:2088 [inline]
__x64_sys_execve+0x8f/0xc0 fs/exec.c:2088
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x46/0xb0
RIP: 0033:0x7f06ea71c337
Code: Unable to access opcode bytes at RIP 0x7f06ea71c30d.
RSP: 002b:00007ffdf6ea0008 EFLAGS: 00000246 ORIG_RAX: 000000000000003b
RAX: ffffffffffffffda RBX: 0000560db1759e60 RCX: 00007f06ea71c337
RDX: 0000560db1759e80 RSI: 0000560db1759e60 RDI: 0000560db1759f08
RBP: 0000560db1759f08 R08: 0000560db1759f0d R09: 0000000000000000
R10: 0000000000000008 R11: 0000000000000246 R12: 0000560db1759e80
R13: 00007f06ea8c1ff4 R14: 0000560db1759e80 R15: 0000000000000000
</TASK>
Allocated by task 17070:
kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
kasan_set_track mm/kasan/common.c:45 [inline]
set_alloc_info mm/kasan/common.c:436 [inline]
__kasan_slab_alloc+0x66/0x80 mm/kasan/common.c:469
kasan_slab_alloc include/linux/kasan.h:224 [inline]
slab_post_alloc_hook mm/slab.h:750 [inline]
slab_alloc_node mm/slub.c:3243 [inline]
kmem_cache_alloc_node+0x25e/0x4b0 mm/slub.c:3293
alloc_task_struct_node kernel/fork.c:172 [inline]
dup_task_struct kernel/fork.c:969 [inline]
copy_process+0x5c4/0x6dd0 kernel/fork.c:2071
kernel_clone+0xe7/0xab0 kernel/fork.c:2655
__do_sys_clone+0xba/0x100 kernel/fork.c:2789
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x46/0xb0
The buggy address belongs to the object at ffff888111813900
which belongs to the cache task_struct of size 7040
The buggy address is located 24 bytes to the right of
7040-byte region [ffff888111813900, ffff888111815480)
The buggy address belongs to the physical page:
page:ffffea0004460400 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x111810
head:ffffea0004460400 order:3 compound_mapcount:0 compound_pincount:0
memcg:ffff888109ebbd81
flags: 0x200000000010200(slab|head|node=0|zone=2)
raw: 0200000000010200 0000000000000000 dead000000000122 ffff88810016b280
raw: 0000000000000000 0000000000040004 00000001ffffffff ffff888109ebbd81
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0x1d20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 17077, tgid 17077 (dhcpcd-run-hook), ts 1050404477757, free_ts 1050392857231
prep_new_page mm/page_alloc.c:2456 [inline]
get_page_from_freelist+0x138c/0x27a0 mm/page_alloc.c:4198
__alloc_pages+0x1c7/0x510 mm/page_alloc.c:5426
alloc_pages+0x1aa/0x310 mm/mempolicy.c:2272
alloc_slab_page mm/slub.c:1824 [inline]
allocate_slab+0x26c/0x3c0 mm/slub.c:1969
new_slab mm/slub.c:2029 [inline]
___slab_alloc+0x98f/0xda0 mm/slub.c:3031
__slab_alloc.constprop.0+0x4d/0xa0 mm/slub.c:3118
slab_alloc_node mm/slub.c:3209 [inline]
kmem_cache_alloc_node+0x397/0x4b0 mm/slub.c:3293
alloc_task_struct_node kernel/fork.c:172 [inline]
dup_task_struct kernel/fork.c:969 [inline]
copy_process+0x5c4/0x6dd0 kernel/fork.c:2071
kernel_clone+0xe7/0xab0 kernel/fork.c:2655
__do_sys_clone+0xba/0x100 kernel/fork.c:2789
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x46/0xb0
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1371 [inline]
free_pcp_prepare+0x537/0xb80 mm/page_alloc.c:1421
free_unref_page_prepare mm/page_alloc.c:3343 [inline]
free_unref_page+0x19/0x5a0 mm/page_alloc.c:3438
device_release+0x9f/0x240 drivers/base/core.c:2230
kobject_cleanup lib/kobject.c:673 [inline]
kobject_release lib/kobject.c:704 [inline]
kref_put include/linux/kref.h:65 [inline]
kobject_put+0x1c8/0x540 lib/kobject.c:721
put_device+0x1b/0x30 drivers/base/core.c:3524
ath9k_htc_probe_device+0x1c7/0x1f00 drivers/net/wireless/ath/ath9k/htc_drv_init.c:976
ath9k_htc_hw_init+0x31/0x60 drivers/net/wireless/ath/ath9k/htc_hst.c:508
ath9k_hif_usb_firmware_cb+0x274/0x530 drivers/net/wireless/ath/ath9k/hif_usb.c:1245
request_firmware_work_func+0x12c/0x230 drivers/base/firmware_loader/main.c:1107
process_one_work+0x996/0x1610 kernel/workqueue.c:2289
worker_thread+0x665/0x1080 kernel/workqueue.c:2436
kthread+0x2ef/0x3a0 kernel/kthread.c:376
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302
Memory state around the buggy address:
ffff888111815380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff888111815400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888111815480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff888111815500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff888111815580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Oct 3, 2022, 4:45:29 AM10/3/22
to syzkaller-upst...@googlegroups.com
Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.
Crashes did not happen for a while, no reproducer and no activity.
Reply all
Reply to author
Forward
0 new messages