[moderation] [dri?] KASAN: use-after-free Read in __wait_for_common
0 views
Skip to first unread message
syzbot
Sep 1, 2025, 9:39:32 PM (3 days ago) Sep 1
to syzkaller-upst...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 07d9df80082b Merge tag 'perf-tools-fixes-for-v6.17-2025-08..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=13df1634580000
kernel config: https://syzkaller.appspot.com/x/.config?x=d4703ac89d9e185a
dashboard link: https://syzkaller.appspot.com/bug?extid=b78fb429b1df0810d09c
compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
CC: [air...@gmail.com dri-...@lists.freedesktop.org linux-...@vger.kernel.org maarten....@linux.intel.com mri...@kernel.org sim...@ffwll.ch tzimm...@suse.de]
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/014999cdab1c/disk-07d9df80.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/607c7e759cd4/vmlinux-07d9df80.xz
kernel image: https://storage.googleapis.com/syzbot-assets/71507be8769d/bzImage-07d9df80.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+b78fb4...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in __raw_spin_lock_irq include/linux/spinlock_api_smp.h:119 [inline]
BUG: KASAN: use-after-free in _raw_spin_lock_irq+0x36/0x50 kernel/locking/spinlock.c:170
Read of size 1 at addr ffff888053b4ac88 by task syz.2.837/9565
CPU: 1 UID: 0 PID: 9565 Comm: syz.2.837 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xcd/0x630 mm/kasan/report.c:482
kasan_report+0xe0/0x110 mm/kasan/report.c:595
__kasan_check_byte+0x36/0x50 mm/kasan/common.c:568
kasan_check_byte include/linux/kasan.h:399 [inline]
lock_acquire kernel/locking/lockdep.c:5842 [inline]
lock_acquire+0xfc/0x350 kernel/locking/lockdep.c:5825
__raw_spin_lock_irq include/linux/spinlock_api_smp.h:119 [inline]
_raw_spin_lock_irq+0x36/0x50 kernel/locking/spinlock.c:170
__wait_for_common+0x9d/0x4e0 kernel/sched/completion.c:120
wait_for_common kernel/sched/completion.c:132 [inline]
wait_for_completion_interruptible+0x1f/0x40 kernel/sched/completion.c:221
drm_atomic_helper_swap_state+0x287/0x1560 drivers/gpu/drm/drm_atomic_helper.c:3209
drm_atomic_helper_commit+0x1f4/0x380 drivers/gpu/drm/drm_atomic_helper.c:2198
drm_atomic_commit+0x234/0x300 drivers/gpu/drm/drm_atomic.c:1577
drm_client_modeset_commit_atomic+0x69d/0x7e0 drivers/gpu/drm/drm_client_modeset.c:1103
drm_client_modeset_commit_locked+0x14d/0x580 drivers/gpu/drm/drm_client_modeset.c:1206
drm_client_modeset_commit+0x4f/0x80 drivers/gpu/drm/drm_client_modeset.c:1232
__drm_fb_helper_restore_fbdev_mode_unlocked drivers/gpu/drm/drm_fb_helper.c:238 [inline]
__drm_fb_helper_restore_fbdev_mode_unlocked+0x19f/0x200 drivers/gpu/drm/drm_fb_helper.c:217
drm_fbdev_client_restore+0x2c/0x40 drivers/gpu/drm/clients/drm_fbdev_client.c:31
drm_client_dev_restore+0x1f6/0x2a0 drivers/gpu/drm/drm_client_event.c:117
drm_lastclose drivers/gpu/drm/drm_file.c:408 [inline]
drm_release+0x2c4/0x360 drivers/gpu/drm/drm_file.c:441
__fput+0x402/0xb70 fs/file_table.c:468
task_work_run+0x14d/0x240 kernel/task_work.c:227
resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
exit_to_user_mode_loop+0xeb/0x110 kernel/entry/common.c:43
exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]
syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline]
syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline]
do_syscall_64+0x3f6/0x4c0 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fc91838ebe9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffdc7ac2d88 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4
RAX: 0000000000000000 RBX: 00007fc9185b7da0 RCX: 00007fc91838ebe9
RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003
RBP: 00007fc9185b7da0 R08: 000000000000e220 R09: 00000015c7ac307f
R10: 00007fc9185b7cb0 R11: 0000000000000246 R12: 000000000006da8b
R13: 00007fc9185b6090 R14: ffffffffffffffff R15: 00007ffdc7ac2ea0
</TASK>
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x53b4a
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 0000000000000000 ffffea00014ed290 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd2820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 0, tgid 0 (swapper/0), ts 132065966464, free_ts 432965137718
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x1c0/0x230 mm/page_alloc.c:1851
prep_new_page mm/page_alloc.c:1859 [inline]
get_page_from_freelist+0x132b/0x38e0 mm/page_alloc.c:3858
__alloc_frozen_pages_noprof+0x261/0x23f0 mm/page_alloc.c:5148
alloc_pages_mpol+0x1fb/0x550 mm/mempolicy.c:2416
alloc_slab_page mm/slub.c:2487 [inline]
allocate_slab mm/slub.c:2655 [inline]
new_slab+0x247/0x330 mm/slub.c:2709
___slab_alloc+0xcf2/0x1740 mm/slub.c:3891
__slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3981
__slab_alloc_node mm/slub.c:4056 [inline]
slab_alloc_node mm/slub.c:4217 [inline]
kmem_cache_alloc_node_noprof+0xf5/0x3b0 mm/slub.c:4281
kmalloc_reserve+0x18b/0x2c0 net/core/skbuff.c:578
__alloc_skb+0x166/0x380 net/core/skbuff.c:669
alloc_skb include/linux/skbuff.h:1336 [inline]
new_skb+0x21/0x230 drivers/block/aoe/aoecmd.c:66
aoecmd_cfg_pkts drivers/block/aoe/aoecmd.c:430 [inline]
aoecmd_cfg+0x21c/0x7d0 drivers/block/aoe/aoecmd.c:1374
call_timer_fn+0x197/0x620 kernel/time/timer.c:1747
expire_timers kernel/time/timer.c:1798 [inline]
__run_timers+0x6ef/0x960 kernel/time/timer.c:2372
__run_timer_base kernel/time/timer.c:2384 [inline]
__run_timer_base kernel/time/timer.c:2376 [inline]
run_timer_base+0x114/0x190 kernel/time/timer.c:2393
run_timer_softirq+0x1a/0x40 kernel/time/timer.c:2403
page last free pid 5856 tgid 5856 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1395 [inline]
__free_frozen_pages+0x7d5/0x10f0 mm/page_alloc.c:2895
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x4d/0x120 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x195/0x1e0 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x69/0x90 mm/kasan/common.c:340
kasan_slab_alloc include/linux/kasan.h:250 [inline]
slab_post_alloc_hook mm/slub.c:4180 [inline]
slab_alloc_node mm/slub.c:4229 [inline]
kmem_cache_alloc_noprof+0x1cb/0x3b0 mm/slub.c:4236
getname_flags.part.0+0x4c/0x550 fs/namei.c:146
getname_flags+0x93/0xf0 include/linux/audit.h:322
getname include/linux/fs.h:2918 [inline]
do_sys_openat2+0xb8/0x1d0 fs/open.c:1429
do_sys_open fs/open.c:1450 [inline]
__do_sys_openat fs/open.c:1466 [inline]
__se_sys_openat fs/open.c:1461 [inline]
__x64_sys_openat+0x174/0x210 fs/open.c:1461
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Memory state around the buggy address:
ffff888053b4ab80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff888053b4ac00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff888053b4ac80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff888053b4ad00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff888053b4ad80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 07d9df80082b Merge tag 'perf-tools-fixes-for-v6.17-2025-08..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=13df1634580000
kernel config: https://syzkaller.appspot.com/x/.config?x=d4703ac89d9e185a
dashboard link: https://syzkaller.appspot.com/bug?extid=b78fb429b1df0810d09c
compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
CC: [air...@gmail.com dri-...@lists.freedesktop.org linux-...@vger.kernel.org maarten....@linux.intel.com mri...@kernel.org sim...@ffwll.ch tzimm...@suse.de]
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/014999cdab1c/disk-07d9df80.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/607c7e759cd4/vmlinux-07d9df80.xz
kernel image: https://storage.googleapis.com/syzbot-assets/71507be8769d/bzImage-07d9df80.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+b78fb4...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in __raw_spin_lock_irq include/linux/spinlock_api_smp.h:119 [inline]
BUG: KASAN: use-after-free in _raw_spin_lock_irq+0x36/0x50 kernel/locking/spinlock.c:170
Read of size 1 at addr ffff888053b4ac88 by task syz.2.837/9565
CPU: 1 UID: 0 PID: 9565 Comm: syz.2.837 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xcd/0x630 mm/kasan/report.c:482
kasan_report+0xe0/0x110 mm/kasan/report.c:595
__kasan_check_byte+0x36/0x50 mm/kasan/common.c:568
kasan_check_byte include/linux/kasan.h:399 [inline]
lock_acquire kernel/locking/lockdep.c:5842 [inline]
lock_acquire+0xfc/0x350 kernel/locking/lockdep.c:5825
__raw_spin_lock_irq include/linux/spinlock_api_smp.h:119 [inline]
_raw_spin_lock_irq+0x36/0x50 kernel/locking/spinlock.c:170
__wait_for_common+0x9d/0x4e0 kernel/sched/completion.c:120
wait_for_common kernel/sched/completion.c:132 [inline]
wait_for_completion_interruptible+0x1f/0x40 kernel/sched/completion.c:221
drm_atomic_helper_swap_state+0x287/0x1560 drivers/gpu/drm/drm_atomic_helper.c:3209
drm_atomic_helper_commit+0x1f4/0x380 drivers/gpu/drm/drm_atomic_helper.c:2198
drm_atomic_commit+0x234/0x300 drivers/gpu/drm/drm_atomic.c:1577
drm_client_modeset_commit_atomic+0x69d/0x7e0 drivers/gpu/drm/drm_client_modeset.c:1103
drm_client_modeset_commit_locked+0x14d/0x580 drivers/gpu/drm/drm_client_modeset.c:1206
drm_client_modeset_commit+0x4f/0x80 drivers/gpu/drm/drm_client_modeset.c:1232
__drm_fb_helper_restore_fbdev_mode_unlocked drivers/gpu/drm/drm_fb_helper.c:238 [inline]
__drm_fb_helper_restore_fbdev_mode_unlocked+0x19f/0x200 drivers/gpu/drm/drm_fb_helper.c:217
drm_fbdev_client_restore+0x2c/0x40 drivers/gpu/drm/clients/drm_fbdev_client.c:31
drm_client_dev_restore+0x1f6/0x2a0 drivers/gpu/drm/drm_client_event.c:117
drm_lastclose drivers/gpu/drm/drm_file.c:408 [inline]
drm_release+0x2c4/0x360 drivers/gpu/drm/drm_file.c:441
__fput+0x402/0xb70 fs/file_table.c:468
task_work_run+0x14d/0x240 kernel/task_work.c:227
resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
exit_to_user_mode_loop+0xeb/0x110 kernel/entry/common.c:43
exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]
syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline]
syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline]
do_syscall_64+0x3f6/0x4c0 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fc91838ebe9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffdc7ac2d88 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4
RAX: 0000000000000000 RBX: 00007fc9185b7da0 RCX: 00007fc91838ebe9
RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003
RBP: 00007fc9185b7da0 R08: 000000000000e220 R09: 00000015c7ac307f
R10: 00007fc9185b7cb0 R11: 0000000000000246 R12: 000000000006da8b
R13: 00007fc9185b6090 R14: ffffffffffffffff R15: 00007ffdc7ac2ea0
</TASK>
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x53b4a
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 0000000000000000 ffffea00014ed290 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd2820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 0, tgid 0 (swapper/0), ts 132065966464, free_ts 432965137718
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x1c0/0x230 mm/page_alloc.c:1851
prep_new_page mm/page_alloc.c:1859 [inline]
get_page_from_freelist+0x132b/0x38e0 mm/page_alloc.c:3858
__alloc_frozen_pages_noprof+0x261/0x23f0 mm/page_alloc.c:5148
alloc_pages_mpol+0x1fb/0x550 mm/mempolicy.c:2416
alloc_slab_page mm/slub.c:2487 [inline]
allocate_slab mm/slub.c:2655 [inline]
new_slab+0x247/0x330 mm/slub.c:2709
___slab_alloc+0xcf2/0x1740 mm/slub.c:3891
__slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3981
__slab_alloc_node mm/slub.c:4056 [inline]
slab_alloc_node mm/slub.c:4217 [inline]
kmem_cache_alloc_node_noprof+0xf5/0x3b0 mm/slub.c:4281
kmalloc_reserve+0x18b/0x2c0 net/core/skbuff.c:578
__alloc_skb+0x166/0x380 net/core/skbuff.c:669
alloc_skb include/linux/skbuff.h:1336 [inline]
new_skb+0x21/0x230 drivers/block/aoe/aoecmd.c:66
aoecmd_cfg_pkts drivers/block/aoe/aoecmd.c:430 [inline]
aoecmd_cfg+0x21c/0x7d0 drivers/block/aoe/aoecmd.c:1374
call_timer_fn+0x197/0x620 kernel/time/timer.c:1747
expire_timers kernel/time/timer.c:1798 [inline]
__run_timers+0x6ef/0x960 kernel/time/timer.c:2372
__run_timer_base kernel/time/timer.c:2384 [inline]
__run_timer_base kernel/time/timer.c:2376 [inline]
run_timer_base+0x114/0x190 kernel/time/timer.c:2393
run_timer_softirq+0x1a/0x40 kernel/time/timer.c:2403
page last free pid 5856 tgid 5856 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1395 [inline]
__free_frozen_pages+0x7d5/0x10f0 mm/page_alloc.c:2895
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x4d/0x120 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x195/0x1e0 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x69/0x90 mm/kasan/common.c:340
kasan_slab_alloc include/linux/kasan.h:250 [inline]
slab_post_alloc_hook mm/slub.c:4180 [inline]
slab_alloc_node mm/slub.c:4229 [inline]
kmem_cache_alloc_noprof+0x1cb/0x3b0 mm/slub.c:4236
getname_flags.part.0+0x4c/0x550 fs/namei.c:146
getname_flags+0x93/0xf0 include/linux/audit.h:322
getname include/linux/fs.h:2918 [inline]
do_sys_openat2+0xb8/0x1d0 fs/open.c:1429
do_sys_open fs/open.c:1450 [inline]
__do_sys_openat fs/open.c:1466 [inline]
__se_sys_openat fs/open.c:1461 [inline]
__x64_sys_openat+0x174/0x210 fs/open.c:1461
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Memory state around the buggy address:
ffff888053b4ab80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff888053b4ac00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff888053b4ac80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff888053b4ad00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff888053b4ad80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Reply all
Reply to author
Forward
0 new messages