From: syzbot <syzbot+6b52c2b24e341804a58c@syzkaller.appspotmail.com>
To: linux-kernel@vger.kernel.org, n.zhandarovich@fintech.ru,
syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [media?] [usb?] KASAN: slab-use-after-free Read in v4l2_release
Date: Mon, 27 Jan 2025 09:24:03 -0800 [thread overview]
Message-ID: <6797c133.050a0220.ac840.01d3.GAE@google.com> (raw)
In-Reply-To: <20250127112309.444236-1-n.zhandarovich@fintech.ru>
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
INFO: task hung in reg_process_self_managed_hints
INFO: task kworker/0:1:9 blocked for more than 143 seconds.
Not tainted 6.13.0-syzkaller-08265-g9c5968db9e62 #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:kworker/0:1 state:D stack:26592 pid:9 tgid:9 ppid:2 task_flags:0x4208060 flags:0x00004000
Workqueue: events reg_todo
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5377 [inline]
__schedule+0xf43/0x5890 kernel/sched/core.c:6764
__schedule_loop kernel/sched/core.c:6841 [inline]
schedule+0xe7/0x350 kernel/sched/core.c:6856
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6913
__mutex_lock_common kernel/locking/mutex.c:662 [inline]
__mutex_lock+0x6bd/0xb10 kernel/locking/mutex.c:730
class_wiphy_constructor include/net/cfg80211.h:6061 [inline]
reg_process_self_managed_hints+0x95/0x1f0 net/wireless/reg.c:3206
reg_todo+0x684/0x910 net/wireless/reg.c:3219
process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3236
process_scheduled_works kernel/workqueue.c:3317 [inline]
worker_thread+0x6c8/0xf00 kernel/workqueue.c:3398
kthread+0x3af/0x750 kernel/kthread.c:464
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
INFO: task kworker/u8:2:33 blocked for more than 143 seconds.
Not tainted 6.13.0-syzkaller-08265-g9c5968db9e62 #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:kworker/u8:2 state:D stack:21856 pid:33 tgid:33 ppid:2 task_flags:0x4208160 flags:0x00004000
Workqueue: ipv6_addrconf addrconf_dad_work
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5377 [inline]
__schedule+0xf43/0x5890 kernel/sched/core.c:6764
__schedule_loop kernel/sched/core.c:6841 [inline]
schedule+0xe7/0x350 kernel/sched/core.c:6856
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6913
__mutex_lock_common kernel/locking/mutex.c:662 [inline]
__mutex_lock+0x6bd/0xb10 kernel/locking/mutex.c:730
rtnl_net_lock include/linux/rtnetlink.h:129 [inline]
addrconf_dad_work+0x121/0x14e0 net/ipv6/addrconf.c:4190
process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3236
process_scheduled_works kernel/workqueue.c:3317 [inline]
worker_thread+0x6c8/0xf00 kernel/workqueue.c:3398
kthread+0x3af/0x750 kernel/kthread.c:464
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
INFO: task kworker/u8:6:3422 blocked for more than 143 seconds.
Not tainted 6.13.0-syzkaller-08265-g9c5968db9e62 #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:kworker/u8:6 state:D stack:22568 pid:3422 tgid:3422 ppid:2 task_flags:0x4208060 flags:0x00004000
Workqueue: netns cleanup_net
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5377 [inline]
__schedule+0xf43/0x5890 kernel/sched/core.c:6764
__schedule_loop kernel/sched/core.c:6841 [inline]
schedule+0xe7/0x350 kernel/sched/core.c:6856
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6913
__mutex_lock_common kernel/locking/mutex.c:662 [inline]
__mutex_lock+0x6bd/0xb10 kernel/locking/mutex.c:730
rtnl_acquire_if_cleanup_net net/core/dev.c:10272 [inline]
unregister_netdevice_many_notify+0x1a51/0x21a0 net/core/dev.c:11792
unregister_netdevice_many net/core/dev.c:11875 [inline]
unregister_netdevice_queue+0x307/0x3f0 net/core/dev.c:11741
unregister_netdevice include/linux/netdevice.h:3329 [inline]
_cfg80211_unregister_wdev+0x64b/0x830 net/wireless/core.c:1251
ieee80211_remove_interfaces+0x34f/0x720 net/mac80211/iface.c:2305
ieee80211_unregister_hw+0x55/0x3a0 net/mac80211/main.c:1681
mac80211_hwsim_del_radio drivers/net/wireless/virtual/mac80211_hwsim.c:5664 [inline]
hwsim_exit_net+0x3ad/0x7d0 drivers/net/wireless/virtual/mac80211_hwsim.c:6544
ops_exit_list+0xb0/0x180 net/core/net_namespace.c:172
cleanup_net+0x5c6/0xbf0 net/core/net_namespace.c:652
process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3236
process_scheduled_works kernel/workqueue.c:3317 [inline]
worker_thread+0x6c8/0xf00 kernel/workqueue.c:3398
kthread+0x3af/0x750 kernel/kthread.c:464
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
INFO: task kworker/u8:7:3498 blocked for more than 144 seconds.
Not tainted 6.13.0-syzkaller-08265-g9c5968db9e62 #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:kworker/u8:7 state:D stack:24000 pid:3498 tgid:3498 ppid:2 task_flags:0x4208060 flags:0x00004000
Workqueue: events_unbound linkwatch_event
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5377 [inline]
__schedule+0xf43/0x5890 kernel/sched/core.c:6764
__schedule_loop kernel/sched/core.c:6841 [inline]
schedule+0xe7/0x350 kernel/sched/core.c:6856
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6913
__mutex_lock_common kernel/locking/mutex.c:662 [inline]
__mutex_lock+0x6bd/0xb10 kernel/locking/mutex.c:730
linkwatch_event+0x51/0xc0 net/core/link_watch.c:285
process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3236
process_scheduled_works kernel/workqueue.c:3317 [inline]
worker_thread+0x6c8/0xf00 kernel/workqueue.c:3398
kthread+0x3af/0x750 kernel/kthread.c:464
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
INFO: task kworker/0:4:5901 blocked for more than 144 seconds.
Not tainted 6.13.0-syzkaller-08265-g9c5968db9e62 #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:kworker/0:4 state:D stack:27488 pid:5901 tgid:5901 ppid:2 task_flags:0x4208060 flags:0x00004000
Workqueue: events_power_efficient crda_timeout_work
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5377 [inline]
__schedule+0xf43/0x5890 kernel/sched/core.c:6764
__schedule_loop kernel/sched/core.c:6841 [inline]
schedule+0xe7/0x350 kernel/sched/core.c:6856
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6913
__mutex_lock_common kernel/locking/mutex.c:662 [inline]
__mutex_lock+0x6bd/0xb10 kernel/locking/mutex.c:730
crda_timeout_work+0x15/0x50 net/wireless/reg.c:540
process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3236
process_scheduled_works kernel/workqueue.c:3317 [inline]
worker_thread+0x6c8/0xf00 kernel/workqueue.c:3398
kthread+0x3af/0x750 kernel/kthread.c:464
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
INFO: task syz-executor:6463 blocked for more than 144 seconds.
Not tainted 6.13.0-syzkaller-08265-g9c5968db9e62 #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz-executor state:D stack:24288 pid:6463 tgid:6463 ppid:1 task_flags:0x400140 flags:0x00000004
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5377 [inline]
__schedule+0xf43/0x5890 kernel/sched/core.c:6764
__schedule_loop kernel/sched/core.c:6841 [inline]
schedule+0xe7/0x350 kernel/sched/core.c:6856
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6913
__mutex_lock_common kernel/locking/mutex.c:662 [inline]
__mutex_lock+0x6bd/0xb10 kernel/locking/mutex.c:730
rtnl_lock net/core/rtnetlink.c:79 [inline]
rtnl_nets_lock net/core/rtnetlink.c:335 [inline]
rtnl_newlink+0x5d9/0x1d60 net/core/rtnetlink.c:4020
rtnetlink_rcv_msg+0x95b/0xea0 net/core/rtnetlink.c:6911
netlink_rcv_skb+0x16b/0x440 net/netlink/af_netlink.c:2543
netlink_unicast_kernel net/netlink/af_netlink.c:1322 [inline]
netlink_unicast+0x53c/0x7f0 net/netlink/af_netlink.c:1348
netlink_sendmsg+0x8b8/0xd70 net/netlink/af_netlink.c:1892
sock_sendmsg_nosec net/socket.c:713 [inline]
__sock_sendmsg net/socket.c:728 [inline]
__sys_sendto+0x488/0x4f0 net/socket.c:2182
__do_sys_sendto net/socket.c:2189 [inline]
__se_sys_sendto net/socket.c:2185 [inline]
__x64_sys_sendto+0xe0/0x1c0 net/socket.c:2185
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f50e3780553
RSP: 002b:00007fff7321e8d8 EFLAGS: 00000202 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 00007f50e4464620 RCX: 00007f50e3780553
RDX: 0000000000000054 RSI: 00007f50e4464670 RDI: 0000000000000003
RBP: 0000000000000001 R08: 00007fff7321e8f4 R09: 000000000000000c
R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000003
R13: 0000000000000000 R14: 00007f50e4464670 R15: 0000000000000000
</TASK>
INFO: task syz-executor:6521 blocked for more than 145 seconds.
Not tainted 6.13.0-syzkaller-08265-g9c5968db9e62 #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz-executor state:D stack:27608 pid:6521 tgid:6521 ppid:6517 task_flags:0x400140 flags:0x00004000
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5377 [inline]
__schedule+0xf43/0x5890 kernel/sched/core.c:6764
__schedule_loop kernel/sched/core.c:6841 [inline]
schedule+0xe7/0x350 kernel/sched/core.c:6856
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6913
__mutex_lock_common kernel/locking/mutex.c:662 [inline]
__mutex_lock+0x6bd/0xb10 kernel/locking/mutex.c:730
register_nexthop_notifier+0x1b/0x70 net/ipv4/nexthop.c:3878
ops_init+0x1df/0x5f0 net/core/net_namespace.c:138
setup_net+0x21f/0x860 net/core/net_namespace.c:362
copy_net_ns+0x2b4/0x6c0 net/core/net_namespace.c:516
create_new_namespaces+0x3ea/0xad0 kernel/nsproxy.c:110
unshare_nsproxy_namespaces+0xc0/0x1f0 kernel/nsproxy.c:228
ksys_unshare+0x45d/0xa40 kernel/fork.c:3331
__do_sys_unshare kernel/fork.c:3402 [inline]
__se_sys_unshare kernel/fork.c:3400 [inline]
__x64_sys_unshare+0x31/0x40 kernel/fork.c:3400
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7ff68297ff17
RSP: 002b:00007ffec94d6498 EFLAGS: 00000246 ORIG_RAX: 0000000000000110
RAX: ffffffffffffffda RBX: 00007ff682b35f40 RCX: 00007ff68297ff17
RDX: 00007ff68297e719 RSI: 00007ffec94d6460 RDI: 0000000040000000
RBP: 00007ff682b36528 R08: 00007ff682afb9f0 R09: 00007ff682afb9f0
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000006
R13: 0000000000000006 R14: 0000000000000009 R15: 0000000000000000
</TASK>
INFO: lockdep is turned off.
NMI backtrace for cpu 1
CPU: 1 UID: 0 PID: 30 Comm: khungtaskd Not tainted 6.13.0-syzkaller-08265-g9c5968db9e62 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
nmi_cpu_backtrace+0x27b/0x390 lib/nmi_backtrace.c:113
nmi_trigger_cpumask_backtrace+0x29c/0x300 lib/nmi_backtrace.c:62
trigger_all_cpu_backtrace include/linux/nmi.h:162 [inline]
check_hung_uninterruptible_tasks kernel/hung_task.c:236 [inline]
watchdog+0xf62/0x12b0 kernel/hung_task.c:399
kthread+0x3af/0x750 kernel/kthread.c:464
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
Sending NMI from CPU 1 to CPUs 0:
NMI backtrace for cpu 0
CPU: 0 UID: 0 PID: 6447 Comm: syz-executor Not tainted 6.13.0-syzkaller-08265-g9c5968db9e62 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
RIP: 0010:bytes_is_nonzero mm/kasan/generic.c:87 [inline]
RIP: 0010:memory_is_nonzero mm/kasan/generic.c:104 [inline]
RIP: 0010:memory_is_poisoned_n mm/kasan/generic.c:129 [inline]
RIP: 0010:memory_is_poisoned mm/kasan/generic.c:161 [inline]
RIP: 0010:check_region_inline mm/kasan/generic.c:180 [inline]
RIP: 0010:kasan_check_range+0x111/0x1a0 mm/kasan/generic.c:189
Code: 44 89 c2 e8 c1 ec ff ff 83 f0 01 5b 5d 41 5c c3 cc cc cc cc 48 85 d2 74 4f 48 01 ea eb 09 48 83 c0 01 48 39 d0 74 41 80 38 00 <74> f2 eb b2 41 bc 08 00 00 00 45 29 dc 49 8d 14 2c eb 0c 48 83 c0
RSP: 0018:ffffc90003f67a30 EFLAGS: 00000246
RAX: fffff520007ecf5e RBX: fffff520007ecf60 RCX: ffffffff846fc867
RDX: fffff520007ecf60 RSI: 0000000000000014 RDI: ffffc90003f67ae8
RBP: fffff520007ecf5d R08: 0000000000000001 R09: fffff520007ecf5f
R10: ffffc90003f67afb R11: 0000000000000000 R12: ffffc90003f67ae8
R13: 0000000000000092 R14: ffffc90003f67ae8 R15: 0000000000040257
FS: 00005555573ce500(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055bfd2a63600 CR3: 0000000031342000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<NMI>
</NMI>
<TASK>
__asan_memcpy+0x3c/0x60 mm/kasan/shadow.c:106
avc_has_perm_noaudit+0xe7/0x3a0 security/selinux/avc.c:1164
avc_has_perm+0xc1/0x1c0 security/selinux/avc.c:1195
inode_has_perm+0x168/0x1d0 security/selinux/hooks.c:1676
file_has_perm+0x2e8/0x350 security/selinux/hooks.c:1766
selinux_revalidate_file_permission security/selinux/hooks.c:3622 [inline]
selinux_file_permission+0x40d/0x580 security/selinux/hooks.c:3643
security_file_permission+0x1e3/0x210 security/security.c:2844
rw_verify_area+0xb9/0x680 fs/read_write.c:466
vfs_read+0x14c/0xbf0 fs/read_write.c:556
ksys_read+0x207/0x250 fs/read_write.c:708
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fcc37d7d11d
Code: a8 ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb b5 e8 78 48 00 00 0f 1f 84 00 00 00 00 00 80 3d 21 04 19 00 00 74 17 31 c0 0f 05 <48> 3d 00 f0 ff ff 77 5b c3 66 2e 0f 1f 84 00 00 00 00 00 48 83 ec
RSP: 002b:00007fff60bf0cb8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
RAX: ffffffffffffffda RBX: 000055555743cd70 RCX: 00007fcc37d7d11d
RDX: 0000000000000400 RSI: 00005555573e77e0 RDI: 0000000000000021
RBP: 000055555743cd70 R08: 000000000000689e R09: 00005555573e75d8
R10: 0000000000000000 R11: 0000000000000246 R12: 000055555743ce78
R13: 0000000000000001 R14: 00007fff60bf0da0 R15: 000055555743c130
</TASK>
Tested on:
commit: 9c5968db Merge tag 'mm-stable-2025-01-26-14-59' of git..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
console output: https://syzkaller.appspot.com/x/log.txt?x=1049f9f8580000
kernel config: https://syzkaller.appspot.com/x/.config?x=45875e66f29f20
dashboard link: https://syzkaller.appspot.com/bug?extid=6b52c2b24e341804a58c
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
Note: no patches were applied.
prev parent reply other threads:[~2025-01-27 17:24 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-11-19 18:42 [syzbot] [media?] [usb?] KASAN: slab-use-after-free Read in v4l2_release syzbot
2025-01-26 16:12 ` Nikita Zhandarovich
2025-01-26 16:37 ` syzbot
2025-01-27 11:23 ` Nikita Zhandarovich
2025-01-27 17:24 ` syzbot [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=6797c133.050a0220.ac840.01d3.GAE@google.com \
--to=syzbot+6b52c2b24e341804a58c@syzkaller.appspotmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=n.zhandarovich@fintech.ru \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.