Re: [syzbot] [serial?] KMSAN: uninit-value in n_tty_receive_buf_closing (3)

All of lore.kernel.org
 help / color / mirror / Atom feed

From: syzbot <syzbot+dd514b5f0cf048aec256@syzkaller.appspotmail.com>
To: linux-kernel@vger.kernel.org, rampxxxx@gmail.com,
	 syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [serial?] KMSAN: uninit-value in n_tty_receive_buf_closing (3)
Date: Wed, 24 Sep 2025 23:37:02 -0700	[thread overview]
Message-ID: <68d4e30e.050a0220.3a612a.0005.GAE@google.com> (raw)
In-Reply-To: <CABPJ0viXDF2o1MjbsUBC=0aaBx+CxArAr5rkt961TrVibqLLPQ@mail.gmail.com>

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KMSAN: use-after-free in n_tty_receive_buf_standard

=====================================================
BUG: KMSAN: use-after-free in variable_test_bit arch/x86/include/asm/bitops.h:227 [inline]
BUG: KMSAN: use-after-free in arch_test_bit arch/x86/include/asm/bitops.h:239 [inline]
BUG: KMSAN: use-after-free in _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:142 [inline]
BUG: KMSAN: use-after-free in n_tty_receive_buf_standard+0xafd/0x98a0 drivers/tty/n_tty.c:1587
 variable_test_bit arch/x86/include/asm/bitops.h:227 [inline]
 arch_test_bit arch/x86/include/asm/bitops.h:239 [inline]
 _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:142 [inline]
 n_tty_receive_buf_standard+0xafd/0x98a0 drivers/tty/n_tty.c:1587
 __receive_buf drivers/tty/n_tty.c:1624 [inline]
 n_tty_receive_buf_common+0x198b/0x2470 drivers/tty/n_tty.c:1723
 n_tty_receive_buf2+0x4c/0x60 drivers/tty/n_tty.c:1769
 tty_ldisc_receive_buf+0xc3/0x2c0 drivers/tty/tty_buffer.c:387
 tty_port_default_receive_buf+0xd7/0x1a0 drivers/tty/tty_port.c:37
 receive_buf drivers/tty/tty_buffer.c:445 [inline]
 flush_to_ldisc+0x43e/0xe30 drivers/tty/tty_buffer.c:495
 process_one_work kernel/workqueue.c:3236 [inline]
 process_scheduled_works+0xa2d/0x1b80 kernel/workqueue.c:3319
 worker_thread+0xedf/0x1590 kernel/workqueue.c:3400
 kthread+0xd5c/0xf00 kernel/kthread.c:463
 ret_from_fork+0x230/0x380 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

Uninit was stored to memory at:
 n_tty_receive_buf_standard+0xaf6/0x98a0 arch/x86/include/asm/bitops.h:-1
 __receive_buf drivers/tty/n_tty.c:1624 [inline]
 n_tty_receive_buf_common+0x198b/0x2470 drivers/tty/n_tty.c:1723
 n_tty_receive_buf2+0x4c/0x60 drivers/tty/n_tty.c:1769
 tty_ldisc_receive_buf+0xc3/0x2c0 drivers/tty/tty_buffer.c:387
 tty_port_default_receive_buf+0xd7/0x1a0 drivers/tty/tty_port.c:37
 receive_buf drivers/tty/tty_buffer.c:445 [inline]
 flush_to_ldisc+0x43e/0xe30 drivers/tty/tty_buffer.c:495
 process_one_work kernel/workqueue.c:3236 [inline]
 process_scheduled_works+0xa2d/0x1b80 kernel/workqueue.c:3319
 worker_thread+0xedf/0x1590 kernel/workqueue.c:3400
 kthread+0xd5c/0xf00 kernel/kthread.c:463
 ret_from_fork+0x230/0x380 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

Uninit was created at:
 slab_free_hook mm/slub.c:2348 [inline]
 slab_free mm/slub.c:4695 [inline]
 kfree+0x252/0xec0 mm/slub.c:4894
 ieee80211_inform_bss+0x12f8/0x1420 net/mac80211/scan.c:160
 rdev_inform_bss net/wireless/rdev-ops.h:418 [inline]
 cfg80211_inform_single_bss_data+0x1bd1/0x3460 net/wireless/scan.c:2380
 cfg80211_inform_bss_data+0x28e/0x8c70 net/wireless/scan.c:3235
 cfg80211_inform_bss_frame_data+0x6cd/0xaa0 net/wireless/scan.c:3326
 ieee80211_bss_info_update+0x8a4/0xaa0 net/mac80211/scan.c:226
 ieee80211_scan_rx+0xa23/0xd70 net/mac80211/scan.c:355
 __ieee80211_rx_handle_packet net/mac80211/rx.c:5186 [inline]
 ieee80211_rx_list+0x464e/0x6630 net/mac80211/rx.c:5423
 ieee80211_rx_napi+0x84/0x400 net/mac80211/rx.c:5446
 ieee80211_rx include/net/mac80211.h:5210 [inline]
 ieee80211_handle_queued_frames+0x14f/0x350 net/mac80211/main.c:453
 ieee80211_tasklet_handler+0x25/0x30 net/mac80211/main.c:472
 tasklet_action_common+0x35f/0xd70 kernel/softirq.c:829
 tasklet_action+0x2d/0x40 kernel/softirq.c:855
 handle_softirqs+0x166/0x6e0 kernel/softirq.c:579
 __do_softirq kernel/softirq.c:613 [inline]
 invoke_softirq kernel/softirq.c:453 [inline]
 __irq_exit_rcu+0x66/0x180 kernel/softirq.c:680
 irq_exit_rcu+0x12/0x20 kernel/softirq.c:696
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1050 [inline]
 sysvec_apic_timer_interrupt+0x84/0x90 arch/x86/kernel/apic/apic.c:1050
 asm_sysvec_apic_timer_interrupt+0x1f/0x30 arch/x86/include/asm/idtentry.h:702

CPU: 0 UID: 0 PID: 4256 Comm: kworker/u8:23 Not tainted syzkaller #0 PREEMPT(none) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025
Workqueue: events_unbound flush_to_ldisc
=====================================================


Tested on:

commit:         bf40f4b8 Merge tag 'probes-fixes-v6.17-rc7' of git://g..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=14572ce2580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=f7564f7873be81d2
dashboard link: https://syzkaller.appspot.com/bug?extid=dd514b5f0cf048aec256
compiler:       Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
patch:          https://syzkaller.appspot.com/x/patch.diff?x=12499ce2580000

next      parent reply	other threads:[~2025-09-25  6:37 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <CABPJ0viXDF2o1MjbsUBC=0aaBx+CxArAr5rkt961TrVibqLLPQ@mail.gmail.com>
2025-09-25  6:37 ` syzbot [this message]
2025-09-25  8:41 [PATCH] KMSAN: uninit-value in n_tty_receive_buf_closing Pei Xiao
2025-09-25 10:09 ` [syzbot] [serial?] KMSAN: uninit-value in n_tty_receive_buf_closing (3) syzbot
  -- strict thread matches above, loose matches on Subject: below --
2024-08-19 13:42 syzbot
2024-12-27 18:44 ` syzbot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=68d4e30e.050a0220.3a612a.0005.GAE@google.com \
    --to=syzbot+dd514b5f0cf048aec256@syzkaller.appspotmail.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=rampxxxx@gmail.com \
    --cc=syzkaller-bugs@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.