[syzbot] [net?] KASAN: slab-use-after-free Read in handle_tx (2)

[syzbot] [net?] KASAN: slab-use-after-free Read in handle_tx (2)

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    c1ca10ceffbb Merge tag 'scsi-fixes' of git://git.kernel.or..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=106d709c180000
kernel config:  https://syzkaller.appspot.com/x/.config?x=2b39994d6ba6ddc6
dashboard link: https://syzkaller.appspot.com/bug?extid=827272712bd6d12c79a4
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/7bc7510fe41f/non_bootable_disk-c1ca10ce.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/e748a043cf14/vmlinux-c1ca10ce.xz
kernel image: https://storage.googleapis.com/syzbot-assets/60a25923a46c/bzImage-c1ca10ce.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+827272712bd6d12c79a4@syzkaller.appspotmail.com

==================================================================
BUG: KASAN: slab-use-after-free in handle_tx+0x5a5/0x630 drivers/net/caif/caif_serial.c:236
Read of size 8 at addr ffff88802fe23020 by task aoe_tx0/1350

CPU: 0 PID: 1350 Comm: aoe_tx0 Not tainted 6.8.0-rc4-syzkaller-00331-gc1ca10ceffbb #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:377 [inline]
 print_report+0xc4/0x620 mm/kasan/report.c:488
 kasan_report+0xda/0x110 mm/kasan/report.c:601
 handle_tx+0x5a5/0x630 drivers/net/caif/caif_serial.c:236
 __netdev_start_xmit include/linux/netdevice.h:4989 [inline]
 netdev_start_xmit include/linux/netdevice.h:5003 [inline]
 xmit_one net/core/dev.c:3547 [inline]
 dev_hard_start_xmit+0x13a/0x6d0 net/core/dev.c:3563
 __dev_queue_xmit+0x7b6/0x3ee0 net/core/dev.c:4351
 dev_queue_xmit include/linux/netdevice.h:3171 [inline]
 tx+0x76/0x100 drivers/block/aoe/aoenet.c:62
 kthread+0x1e9/0x3c0 drivers/block/aoe/aoecmd.c:1229
 kthread+0x2c6/0x3b0 kernel/kthread.c:388
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:242
 </TASK>

Allocated by task 4932:
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
 kasan_save_track+0x14/0x30 mm/kasan/common.c:68
 poison_kmalloc_redzone mm/kasan/common.c:372 [inline]
 __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:389
 kmalloc include/linux/slab.h:590 [inline]
 kzalloc include/linux/slab.h:711 [inline]
 alloc_tty_struct+0x98/0x8d0 drivers/tty/tty_io.c:3116
 tty_init_dev.part.0+0x1e/0x660 drivers/tty/tty_io.c:1415
 tty_init_dev include/linux/err.h:61 [inline]
 tty_open_by_driver drivers/tty/tty_io.c:2088 [inline]
 tty_open+0xb2d/0x1020 drivers/tty/tty_io.c:2135
 chrdev_open+0x26d/0x6f0 fs/char_dev.c:414
 do_dentry_open+0x8da/0x18c0 fs/open.c:953
 do_open fs/namei.c:3641 [inline]
 path_openat+0x1e00/0x29a0 fs/namei.c:3798
 do_filp_open+0x1de/0x440 fs/namei.c:3825
 do_sys_openat2+0x17a/0x1e0 fs/open.c:1404
 do_sys_open fs/open.c:1419 [inline]
 __do_sys_openat fs/open.c:1435 [inline]
 __se_sys_openat fs/open.c:1430 [inline]
 __x64_sys_openat+0x175/0x210 fs/open.c:1430
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xd5/0x270 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x6f/0x77

Freed by task 23:
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
 kasan_save_track+0x14/0x30 mm/kasan/common.c:68
 kasan_save_free_info+0x3f/0x60 mm/kasan/generic.c:640
 poison_slab_object mm/kasan/common.c:241 [inline]
 __kasan_slab_free+0x121/0x1c0 mm/kasan/common.c:257
 kasan_slab_free include/linux/kasan.h:184 [inline]
 slab_free_hook mm/slub.c:2121 [inline]
 slab_free mm/slub.c:4299 [inline]
 kfree+0x124/0x370 mm/slub.c:4409
 process_one_work+0x889/0x15e0 kernel/workqueue.c:2633
 process_scheduled_works kernel/workqueue.c:2706 [inline]
 worker_thread+0x8b9/0x12a0 kernel/workqueue.c:2787
 kthread+0x2c6/0x3b0 kernel/kthread.c:388
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:242

Last potentially related work creation:
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
 __kasan_record_aux_stack+0xba/0x110 mm/kasan/generic.c:586
 insert_work+0x38/0x230 kernel/workqueue.c:1653
 __queue_work+0x62e/0x11d0 kernel/workqueue.c:1802
 queue_work_on+0xf4/0x120 kernel/workqueue.c:1837
 kref_put include/linux/kref.h:65 [inline]
 tty_kref_put drivers/tty/tty_io.c:1572 [inline]
 tty_kref_put drivers/tty/tty_io.c:1569 [inline]
 release_tty+0x4e1/0x600 drivers/tty/tty_io.c:1608
 tty_release_struct+0xb7/0xe0 drivers/tty/tty_io.c:1707
 tty_release+0xe33/0x1420 drivers/tty/tty_io.c:1867
 __fput+0x270/0xb80 fs/file_table.c:376
 task_work_run+0x14f/0x250 kernel/task_work.c:180
 exit_task_work include/linux/task_work.h:38 [inline]
 do_exit+0xa8a/0x2ad0 kernel/exit.c:871
 do_group_exit+0xd4/0x2a0 kernel/exit.c:1020
 get_signal+0x23b9/0x2790 kernel/signal.c:2893
 arch_do_signal_or_restart+0x90/0x7f0 arch/x86/kernel/signal.c:310
 exit_to_user_mode_loop kernel/entry/common.c:105 [inline]
 exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
 __syscall_exit_to_user_mode_work kernel/entry/common.c:201 [inline]
 syscall_exit_to_user_mode+0x156/0x2b0 kernel/entry/common.c:212
 do_syscall_64+0xe5/0x270 arch/x86/entry/common.c:89
 entry_SYSCALL_64_after_hwframe+0x6f/0x77

The buggy address belongs to the object at ffff88802fe23000
 which belongs to the cache kmalloc-cg-2k of size 2048
The buggy address is located 32 bytes inside of
 freed 2048-byte region [ffff88802fe23000, ffff88802fe23800)

The buggy address belongs to the physical page:
page:ffffea0000bf8800 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88802fe24000 pfn:0x2fe20
head:ffffea0000bf8800 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
memcg:ffff888036434cc1
flags: 0xfff00000000a40(workingset|slab|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000a40 ffff888014c50140 ffffea0000985610 ffffea0000976210
raw: ffff88802fe24000 0000000000080005 00000001ffffffff ffff888036434cc1
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0x1d20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 5214, tgid 5214 (syz-executor.0), ts 874094238940, free_ts 873944713923
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook+0x2d4/0x350 mm/page_alloc.c:1533
 prep_new_page mm/page_alloc.c:1540 [inline]
 get_page_from_freelist+0xa28/0x3780 mm/page_alloc.c:3311
 __alloc_pages+0x22f/0x2440 mm/page_alloc.c:4567
 __alloc_pages_node include/linux/gfp.h:238 [inline]
 alloc_pages_node include/linux/gfp.h:261 [inline]
 alloc_slab_page mm/slub.c:2190 [inline]
 allocate_slab mm/slub.c:2354 [inline]
 new_slab+0xcc/0x3a0 mm/slub.c:2407
 ___slab_alloc+0x4af/0x19a0 mm/slub.c:3540
 __slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3625
 __slab_alloc_node mm/slub.c:3678 [inline]
 slab_alloc_node mm/slub.c:3850 [inline]
 __do_kmalloc_node mm/slub.c:3980 [inline]
 __kmalloc_node+0x361/0x470 mm/slub.c:3988
 kmalloc_node include/linux/slab.h:610 [inline]
 kvmalloc_node+0x9d/0x1a0 mm/util.c:617
 kvmalloc include/linux/slab.h:728 [inline]
 kvmalloc_array include/linux/slab.h:746 [inline]
 alloc_fdtable+0xef/0x290 fs/file.c:136
 dup_fd+0x77d/0xc70 fs/file.c:354
 copy_files kernel/fork.c:1789 [inline]
 copy_process+0x2851/0x97b0 kernel/fork.c:2485
 kernel_clone+0xfd/0x930 kernel/fork.c:2902
 __do_sys_clone+0xba/0x100 kernel/fork.c:3045
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xd5/0x270 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x6f/0x77
page last free pid 4901 tgid 4900 stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1140 [inline]
 free_unref_page_prepare+0x527/0xb10 mm/page_alloc.c:2346
 free_unref_page+0x33/0x3c0 mm/page_alloc.c:2486
 __put_partials+0x14c/0x170 mm/slub.c:2922
 qlink_free mm/kasan/quarantine.c:160 [inline]
 qlist_free_all+0x58/0x150 mm/kasan/quarantine.c:176
 kasan_quarantine_reduce+0x192/0x1e0 mm/kasan/quarantine.c:283
 __kasan_slab_alloc+0x69/0x90 mm/kasan/common.c:324
 kasan_slab_alloc include/linux/kasan.h:201 [inline]
 slab_post_alloc_hook mm/slub.c:3813 [inline]
 slab_alloc_node mm/slub.c:3860 [inline]
 kmem_cache_alloc_lru+0x142/0x700 mm/slub.c:3879
 alloc_inode_sb include/linux/fs.h:3016 [inline]
 alloc_inode+0xba/0x230 fs/inode.c:262
 new_inode_pseudo+0x16/0x80 fs/inode.c:1005
 get_pipe_inode fs/pipe.c:891 [inline]
 create_pipe_files+0x4c/0x7f0 fs/pipe.c:931
 __do_pipe_flags fs/pipe.c:980 [inline]
 do_pipe2+0xb0/0x1d0 fs/pipe.c:1031
 __do_sys_pipe2 fs/pipe.c:1049 [inline]
 __se_sys_pipe2 fs/pipe.c:1047 [inline]
 __x64_sys_pipe2+0x54/0x80 fs/pipe.c:1047
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xd5/0x270 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x6f/0x77

Memory state around the buggy address:
 ffff88802fe22f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88802fe22f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88802fe23000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                               ^
 ffff88802fe23080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88802fe23100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot] [net?] KASAN: slab-use-after-free Read in handle_tx (2)

[Eric Dumazet]

On Wed, Feb 21, 2024 at 11:58 AM syzbot
<syzbot+827272712bd6d12c79a4@syzkaller.appspotmail.com> wrote:
>
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit:    c1ca10ceffbb Merge tag 'scsi-fixes' of git://git.kernel.or..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=106d709c180000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=2b39994d6ba6ddc6
> dashboard link: https://syzkaller.appspot.com/bug?extid=827272712bd6d12c79a4
> compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
>
> Unfortunately, I don't have any reproducer for this issue yet.
>
> Downloadable assets:
> disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/7bc7510fe41f/non_bootable_disk-c1ca10ce.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/e748a043cf14/vmlinux-c1ca10ce.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/60a25923a46c/bzImage-c1ca10ce.xz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+827272712bd6d12c79a4@syzkaller.appspotmail.com
>
> ==================================================================
> BUG: KASAN: slab-use-after-free in handle_tx+0x5a5/0x630 drivers/net/caif/caif_serial.c:236
> Read of size 8 at addr ffff88802fe23020 by task aoe_tx0/1350
>
> CPU: 0 PID: 1350 Comm: aoe_tx0 Not tainted 6.8.0-rc4-syzkaller-00331-gc1ca10ceffbb #0
> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
> Call Trace:
>  <TASK>
>  __dump_stack lib/dump_stack.c:88 [inline]
>  dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106
>  print_address_description mm/kasan/report.c:377 [inline]
>  print_report+0xc4/0x620 mm/kasan/report.c:488
>  kasan_report+0xda/0x110 mm/kasan/report.c:601
>  handle_tx+0x5a5/0x630 drivers/net/caif/caif_serial.c:236
>  __netdev_start_xmit include/linux/netdevice.h:4989 [inline]
>  netdev_start_xmit include/linux/netdevice.h:5003 [inline]
>  xmit_one net/core/dev.c:3547 [inline]
>  dev_hard_start_xmit+0x13a/0x6d0 net/core/dev.c:3563
>  __dev_queue_xmit+0x7b6/0x3ee0 net/core/dev.c:4351
>  dev_queue_xmit include/linux/netdevice.h:3171 [inline]
>  tx+0x76/0x100 drivers/block/aoe/aoenet.c:62
>  kthread+0x1e9/0x3c0 drivers/block/aoe/aoecmd.c:1229
>  kthread+0x2c6/0x3b0 kernel/kthread.c:388
>  ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
>  ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:242
>  </TASK>
>
> Allocated by task 4932:
>  kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
>  kasan_save_track+0x14/0x30 mm/kasan/common.c:68
>  poison_kmalloc_redzone mm/kasan/common.c:372 [inline]
>  __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:389
>  kmalloc include/linux/slab.h:590 [inline]
>  kzalloc include/linux/slab.h:711 [inline]
>  alloc_tty_struct+0x98/0x8d0 drivers/tty/tty_io.c:3116
>  tty_init_dev.part.0+0x1e/0x660 drivers/tty/tty_io.c:1415
>  tty_init_dev include/linux/err.h:61 [inline]
>  tty_open_by_driver drivers/tty/tty_io.c:2088 [inline]
>  tty_open+0xb2d/0x1020 drivers/tty/tty_io.c:2135
>  chrdev_open+0x26d/0x6f0 fs/char_dev.c:414
>  do_dentry_open+0x8da/0x18c0 fs/open.c:953
>  do_open fs/namei.c:3641 [inline]
>  path_openat+0x1e00/0x29a0 fs/namei.c:3798
>  do_filp_open+0x1de/0x440 fs/namei.c:3825
>  do_sys_openat2+0x17a/0x1e0 fs/open.c:1404
>  do_sys_open fs/open.c:1419 [inline]
>  __do_sys_openat fs/open.c:1435 [inline]
>  __se_sys_openat fs/open.c:1430 [inline]
>  __x64_sys_openat+0x175/0x210 fs/open.c:1430
>  do_syscall_x64 arch/x86/entry/common.c:52 [inline]
>  do_syscall_64+0xd5/0x270 arch/x86/entry/common.c:83
>  entry_SYSCALL_64_after_hwframe+0x6f/0x77
>
> Freed by task 23:
>  kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
>  kasan_save_track+0x14/0x30 mm/kasan/common.c:68
>  kasan_save_free_info+0x3f/0x60 mm/kasan/generic.c:640
>  poison_slab_object mm/kasan/common.c:241 [inline]
>  __kasan_slab_free+0x121/0x1c0 mm/kasan/common.c:257
>  kasan_slab_free include/linux/kasan.h:184 [inline]
>  slab_free_hook mm/slub.c:2121 [inline]
>  slab_free mm/slub.c:4299 [inline]
>  kfree+0x124/0x370 mm/slub.c:4409
>  process_one_work+0x889/0x15e0 kernel/workqueue.c:2633
>  process_scheduled_works kernel/workqueue.c:2706 [inline]
>  worker_thread+0x8b9/0x12a0 kernel/workqueue.c:2787
>  kthread+0x2c6/0x3b0 kernel/kthread.c:388
>  ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
>  ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:242
>
> Last potentially related work creation:
>  kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
>  __kasan_record_aux_stack+0xba/0x110 mm/kasan/generic.c:586
>  insert_work+0x38/0x230 kernel/workqueue.c:1653
>  __queue_work+0x62e/0x11d0 kernel/workqueue.c:1802
>  queue_work_on+0xf4/0x120 kernel/workqueue.c:1837
>  kref_put include/linux/kref.h:65 [inline]
>  tty_kref_put drivers/tty/tty_io.c:1572 [inline]
>  tty_kref_put drivers/tty/tty_io.c:1569 [inline]
>  release_tty+0x4e1/0x600 drivers/tty/tty_io.c:1608
>  tty_release_struct+0xb7/0xe0 drivers/tty/tty_io.c:1707
>  tty_release+0xe33/0x1420 drivers/tty/tty_io.c:1867
>  __fput+0x270/0xb80 fs/file_table.c:376
>  task_work_run+0x14f/0x250 kernel/task_work.c:180
>  exit_task_work include/linux/task_work.h:38 [inline]
>  do_exit+0xa8a/0x2ad0 kernel/exit.c:871
>  do_group_exit+0xd4/0x2a0 kernel/exit.c:1020
>  get_signal+0x23b9/0x2790 kernel/signal.c:2893
>  arch_do_signal_or_restart+0x90/0x7f0 arch/x86/kernel/signal.c:310
>  exit_to_user_mode_loop kernel/entry/common.c:105 [inline]
>  exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
>  __syscall_exit_to_user_mode_work kernel/entry/common.c:201 [inline]
>  syscall_exit_to_user_mode+0x156/0x2b0 kernel/entry/common.c:212
>  do_syscall_64+0xe5/0x270 arch/x86/entry/common.c:89
>  entry_SYSCALL_64_after_hwframe+0x6f/0x77
>
> The buggy address belongs to the object at ffff88802fe23000
>  which belongs to the cache kmalloc-cg-2k of size 2048
> The buggy address is located 32 bytes inside of
>  freed 2048-byte region [ffff88802fe23000, ffff88802fe23800)
>
> The buggy address belongs to the physical page:
> page:ffffea0000bf8800 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88802fe24000 pfn:0x2fe20
> head:ffffea0000bf8800 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
> memcg:ffff888036434cc1
> flags: 0xfff00000000a40(workingset|slab|head|node=0|zone=1|lastcpupid=0x7ff)
> page_type: 0xffffffff()
> raw: 00fff00000000a40 ffff888014c50140 ffffea0000985610 ffffea0000976210
> raw: ffff88802fe24000 0000000000080005 00000001ffffffff ffff888036434cc1
> page dumped because: kasan: bad access detected
> page_owner tracks the page as allocated
> page last allocated via order 3, migratetype Unmovable, gfp_mask 0x1d20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 5214, tgid 5214 (syz-executor.0), ts 874094238940, free_ts 873944713923
>  set_page_owner include/linux/page_owner.h:31 [inline]
>  post_alloc_hook+0x2d4/0x350 mm/page_alloc.c:1533
>  prep_new_page mm/page_alloc.c:1540 [inline]
>  get_page_from_freelist+0xa28/0x3780 mm/page_alloc.c:3311
>  __alloc_pages+0x22f/0x2440 mm/page_alloc.c:4567
>  __alloc_pages_node include/linux/gfp.h:238 [inline]
>  alloc_pages_node include/linux/gfp.h:261 [inline]
>  alloc_slab_page mm/slub.c:2190 [inline]
>  allocate_slab mm/slub.c:2354 [inline]
>  new_slab+0xcc/0x3a0 mm/slub.c:2407
>  ___slab_alloc+0x4af/0x19a0 mm/slub.c:3540
>  __slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3625
>  __slab_alloc_node mm/slub.c:3678 [inline]
>  slab_alloc_node mm/slub.c:3850 [inline]
>  __do_kmalloc_node mm/slub.c:3980 [inline]
>  __kmalloc_node+0x361/0x470 mm/slub.c:3988
>  kmalloc_node include/linux/slab.h:610 [inline]
>  kvmalloc_node+0x9d/0x1a0 mm/util.c:617
>  kvmalloc include/linux/slab.h:728 [inline]
>  kvmalloc_array include/linux/slab.h:746 [inline]
>  alloc_fdtable+0xef/0x290 fs/file.c:136
>  dup_fd+0x77d/0xc70 fs/file.c:354
>  copy_files kernel/fork.c:1789 [inline]
>  copy_process+0x2851/0x97b0 kernel/fork.c:2485
>  kernel_clone+0xfd/0x930 kernel/fork.c:2902
>  __do_sys_clone+0xba/0x100 kernel/fork.c:3045
>  do_syscall_x64 arch/x86/entry/common.c:52 [inline]
>  do_syscall_64+0xd5/0x270 arch/x86/entry/common.c:83
>  entry_SYSCALL_64_after_hwframe+0x6f/0x77
> page last free pid 4901 tgid 4900 stack trace:
>  reset_page_owner include/linux/page_owner.h:24 [inline]
>  free_pages_prepare mm/page_alloc.c:1140 [inline]
>  free_unref_page_prepare+0x527/0xb10 mm/page_alloc.c:2346
>  free_unref_page+0x33/0x3c0 mm/page_alloc.c:2486
>  __put_partials+0x14c/0x170 mm/slub.c:2922
>  qlink_free mm/kasan/quarantine.c:160 [inline]
>  qlist_free_all+0x58/0x150 mm/kasan/quarantine.c:176
>  kasan_quarantine_reduce+0x192/0x1e0 mm/kasan/quarantine.c:283
>  __kasan_slab_alloc+0x69/0x90 mm/kasan/common.c:324
>  kasan_slab_alloc include/linux/kasan.h:201 [inline]
>  slab_post_alloc_hook mm/slub.c:3813 [inline]
>  slab_alloc_node mm/slub.c:3860 [inline]
>  kmem_cache_alloc_lru+0x142/0x700 mm/slub.c:3879
>  alloc_inode_sb include/linux/fs.h:3016 [inline]
>  alloc_inode+0xba/0x230 fs/inode.c:262
>  new_inode_pseudo+0x16/0x80 fs/inode.c:1005
>  get_pipe_inode fs/pipe.c:891 [inline]
>  create_pipe_files+0x4c/0x7f0 fs/pipe.c:931
>  __do_pipe_flags fs/pipe.c:980 [inline]
>  do_pipe2+0xb0/0x1d0 fs/pipe.c:1031
>  __do_sys_pipe2 fs/pipe.c:1049 [inline]
>  __se_sys_pipe2 fs/pipe.c:1047 [inline]
>  __x64_sys_pipe2+0x54/0x80 fs/pipe.c:1047
>  do_syscall_x64 arch/x86/entry/common.c:52 [inline]
>  do_syscall_64+0xd5/0x270 arch/x86/entry/common.c:83
>  entry_SYSCALL_64_after_hwframe+0x6f/0x77
>
> Memory state around the buggy address:
>  ffff88802fe22f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>  ffff88802fe22f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> >ffff88802fe23000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>                                ^
>  ffff88802fe23080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>  ffff88802fe23100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ==================================================================
>
>
> ---
> This report is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@googlegroups.com.
>
> syzbot will keep track of this issue. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
>
> If the report is already addressed, let syzbot know by replying with:
> #syz fix: exact-commit-title
>
> If you want to overwrite report's subsystems, reply with:
> #syz set subsystems: new-subsystem
> (See the list of subsystem names on the web dashboard)
>
> If the report is a duplicate of another one, reply with:
> #syz dup: exact-subject-of-another-report
>
> If you want to undo deduplication, reply with:
> #syz undup

drivers/block/aoe/aoenet.c does not hold references to skb->dev,
this means the device can disappear.

This code seems obsolete/unmained, but a quick fix would be

diff --git a/drivers/block/aoe/aoenet.c b/drivers/block/aoe/aoenet.c
index c51ea95bc2ce41f6260302f5efe914d3e12e1d98..13fe344b5fb908b5f0bb0deff054d409464bbe7e
100644
--- a/drivers/block/aoe/aoenet.c
+++ b/drivers/block/aoe/aoenet.c
@@ -59,6 +59,7 @@ tx(int id) __must_hold(&txlock)
        while ((skb = skb_dequeue(&skbtxq))) {
                spin_unlock_irq(&txlock);
                ifp = skb->dev;
+               dev_put(ifp);
                if (dev_queue_xmit(skb) == NET_XMIT_DROP && net_ratelimit())
                        pr_warn("aoe: packet could not be sent on %s.  %s\n",
                                ifp ? ifp->name : "netif",
@@ -117,6 +118,7 @@ aoenet_xmit(struct sk_buff_head *queue)
        skb_queue_walk_safe(queue, skb, tmp) {
                __skb_unlink(skb, queue);
                spin_lock_irqsave(&txlock, flags);
+               dev_hold(skb->dev);
                skb_queue_tail(&skbtxq, skb);
                spin_unlock_irqrestore(&txlock, flags);
                wake_up(&txwq);

Re: [syzbot] [net?] KASAN: slab-use-after-free Read in handle_tx (2)

[syzbot]

syzbot has found a reproducer for the following issue on:

HEAD commit:    c45323b7560e Merge tag 'mm-hotfixes-stable-2025-01-13-00-0..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=10565cb0580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=d1cb4a1f148c0861
dashboard link: https://syzkaller.appspot.com/bug?extid=827272712bd6d12c79a4
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=14565cb0580000

Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/7feb34a89c2a/non_bootable_disk-c45323b7.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/d162460a6713/vmlinux-c45323b7.xz
kernel image: https://storage.googleapis.com/syzbot-assets/f905e34cb8b4/bzImage-c45323b7.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+827272712bd6d12c79a4@syzkaller.appspotmail.com

ieee802154 phy0 wpan0: encryption failed: -22
ieee802154 phy1 wpan1: encryption failed: -22
==================================================================
BUG: KASAN: slab-use-after-free in handle_tx+0x5a5/0x630 drivers/net/caif/caif_serial.c:236
Read of size 8 at addr ffff88804b550020 by task aoe_tx0/1417

CPU: 2 UID: 0 PID: 1417 Comm: aoe_tx0 Not tainted 6.13.0-rc7-syzkaller-00019-gc45323b7560e #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0xc3/0x620 mm/kasan/report.c:489
 kasan_report+0xd9/0x110 mm/kasan/report.c:602
 handle_tx+0x5a5/0x630 drivers/net/caif/caif_serial.c:236
 __netdev_start_xmit include/linux/netdevice.h:5002 [inline]
 netdev_start_xmit include/linux/netdevice.h:5011 [inline]
 xmit_one net/core/dev.c:3620 [inline]
 dev_hard_start_xmit+0x9a/0x7b0 net/core/dev.c:3636
 __dev_queue_xmit+0x7f0/0x43e0 net/core/dev.c:4466
 dev_queue_xmit include/linux/netdevice.h:3168 [inline]
 tx+0xcc/0x190 drivers/block/aoe/aoenet.c:62
 kthread+0x1e7/0x3c0 drivers/block/aoe/aoecmd.c:1237
 kthread+0x2c1/0x3a0 kernel/kthread.c:389
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>

Allocated by task 6243:
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
 kasan_save_track+0x14/0x30 mm/kasan/common.c:68
 poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
 __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394
 kmalloc_noprof include/linux/slab.h:901 [inline]
 kzalloc_noprof include/linux/slab.h:1037 [inline]
 alloc_tty_struct+0x98/0x8d0 drivers/tty/tty_io.c:3116
 tty_init_dev.part.0+0x1e/0x660 drivers/tty/tty_io.c:1409
 tty_init_dev include/linux/err.h:67 [inline]
 tty_open_by_driver drivers/tty/tty_io.c:2082 [inline]
 tty_open+0xac1/0xf80 drivers/tty/tty_io.c:2129
 chrdev_open+0x237/0x6a0 fs/char_dev.c:414
 do_dentry_open+0xf59/0x1ea0 fs/open.c:945
 vfs_open+0x82/0x3f0 fs/open.c:1075
 do_open fs/namei.c:3828 [inline]
 path_openat+0x1e6a/0x2d60 fs/namei.c:3987
 do_filp_open+0x20c/0x470 fs/namei.c:4014
 do_sys_openat2+0x17a/0x1e0 fs/open.c:1402
 do_sys_open fs/open.c:1417 [inline]
 __do_sys_openat fs/open.c:1433 [inline]
 __se_sys_openat fs/open.c:1428 [inline]
 __x64_sys_openat+0x175/0x210 fs/open.c:1428
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Freed by task 9:
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
 kasan_save_track+0x14/0x30 mm/kasan/common.c:68
 kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:582
 poison_slab_object mm/kasan/common.c:247 [inline]
 __kasan_slab_free+0x51/0x70 mm/kasan/common.c:264
 kasan_slab_free include/linux/kasan.h:233 [inline]
 slab_free_hook mm/slub.c:2353 [inline]
 slab_free mm/slub.c:4613 [inline]
 kfree+0x14f/0x4b0 mm/slub.c:4761
 process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3236
 process_scheduled_works kernel/workqueue.c:3317 [inline]
 worker_thread+0x6c8/0xf00 kernel/workqueue.c:3398
 kthread+0x2c1/0x3a0 kernel/kthread.c:389
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

Last potentially related work creation:
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
 __kasan_record_aux_stack+0xba/0xd0 mm/kasan/generic.c:544
 insert_work+0x36/0x230 kernel/workqueue.c:2183
 __queue_work+0x97e/0x1080 kernel/workqueue.c:2339
 queue_work_on+0x11a/0x140 kernel/workqueue.c:2390
 kref_put include/linux/kref.h:65 [inline]
 tty_kref_put drivers/tty/tty_io.c:1566 [inline]
 tty_kref_put drivers/tty/tty_io.c:1563 [inline]
 release_tty+0x4de/0x5d0 drivers/tty/tty_io.c:1602
 tty_release_struct+0xb7/0xe0 drivers/tty/tty_io.c:1701
 tty_release+0xe25/0x1410 drivers/tty/tty_io.c:1861
 __fput+0x3f8/0xb60 fs/file_table.c:450
 task_work_run+0x14e/0x250 kernel/task_work.c:239
 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
 exit_to_user_mode_loop kernel/entry/common.c:114 [inline]
 exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline]
 __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
 syscall_exit_to_user_mode+0x27b/0x2a0 kernel/entry/common.c:218
 do_syscall_64+0xda/0x250 arch/x86/entry/common.c:89
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff88804b550000
 which belongs to the cache kmalloc-cg-2k of size 2048
The buggy address is located 32 bytes inside of
 freed 2048-byte region [ffff88804b550000, ffff88804b550800)

The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88804b554000 pfn:0x4b550
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
memcg:ffff8880247d5b81
flags: 0xfff00000000240(workingset|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000240 ffff88801b050140 ffffea0000d3b210 ffff88801b04e708
raw: ffff88804b554000 0000000000080005 00000001f5000000 ffff8880247d5b81
head: 00fff00000000240 ffff88801b050140 ffffea0000d3b210 ffff88801b04e708
head: ffff88804b554000 0000000000080005 00000001f5000000 ffff8880247d5b81
head: 00fff00000000003 ffffea00012d5401 ffffffffffffffff 0000000000000000
head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 6034, tgid 6034 (syz-executor), ts 81856364049, free_ts 80251618977
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1558
 prep_new_page mm/page_alloc.c:1566 [inline]
 get_page_from_freelist+0xfce/0x2f80 mm/page_alloc.c:3476
 __alloc_pages_noprof+0x223/0x25b0 mm/page_alloc.c:4753
 alloc_pages_mpol_noprof+0x2c8/0x620 mm/mempolicy.c:2269
 alloc_slab_page mm/slub.c:2423 [inline]
 allocate_slab mm/slub.c:2589 [inline]
 new_slab+0x2c9/0x410 mm/slub.c:2642
 ___slab_alloc+0xd7d/0x17a0 mm/slub.c:3830
 __slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3920
 __slab_alloc_node mm/slub.c:3995 [inline]
 slab_alloc_node mm/slub.c:4156 [inline]
 __do_kmalloc_node mm/slub.c:4297 [inline]
 __kmalloc_noprof+0x2ec/0x510 mm/slub.c:4310
 kmalloc_noprof include/linux/slab.h:905 [inline]
 kzalloc_noprof include/linux/slab.h:1037 [inline]
 __register_sysctl_table+0xb4/0x1910 fs/proc/proc_sysctl.c:1375
 __devinet_sysctl_register+0x1b5/0x360 net/ipv4/devinet.c:2630
 devinet_sysctl_register net/ipv4/devinet.c:2670 [inline]
 devinet_sysctl_register+0x17b/0x200 net/ipv4/devinet.c:2660
 inetdev_init+0x2b8/0x5a0 net/ipv4/devinet.c:299
 inetdev_event+0xc61/0x18a0 net/ipv4/devinet.c:1598
 notifier_call_chain+0xb7/0x410 kernel/notifier.c:85
 call_netdevice_notifiers_info+0xbe/0x140 net/core/dev.c:2026
 call_netdevice_notifiers_extack net/core/dev.c:2064 [inline]
 call_netdevice_notifiers net/core/dev.c:2078 [inline]
 register_netdevice+0x17a0/0x1e90 net/core/dev.c:10651
page last free pid 5917 tgid 5917 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1127 [inline]
 free_unref_page+0x661/0x1080 mm/page_alloc.c:2659
 kasan_depopulate_vmalloc_pte+0x63/0x80 mm/kasan/shadow.c:408
 apply_to_pte_range mm/memory.c:2831 [inline]
 apply_to_pmd_range mm/memory.c:2875 [inline]
 apply_to_pud_range mm/memory.c:2911 [inline]
 apply_to_p4d_range mm/memory.c:2947 [inline]
 __apply_to_page_range+0x5fd/0xd30 mm/memory.c:2981
 kasan_release_vmalloc+0xd1/0xe0 mm/kasan/shadow.c:529
 kasan_release_vmalloc_node mm/vmalloc.c:2196 [inline]
 purge_vmap_node+0x1d1/0xa40 mm/vmalloc.c:2213
 __purge_vmap_area_lazy+0x9bf/0xc10 mm/vmalloc.c:2304
 drain_vmap_area_work+0x27/0x40 mm/vmalloc.c:2338
 process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3236
 process_scheduled_works kernel/workqueue.c:3317 [inline]
 worker_thread+0x6c8/0xf00 kernel/workqueue.c:3398
 kthread+0x2c1/0x3a0 kernel/kthread.c:389
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

Memory state around the buggy address:
 ffff88804b54ff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88804b54ff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88804b550000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                               ^
 ffff88804b550080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88804b550100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================


---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

Re: [syzbot] [net?] KASAN: slab-use-after-free Read in handle_tx (2)

[syzbot]

syzbot has found a reproducer for the following issue on:

HEAD commit:    9bffa1ad25b8 Merge tag 'drm-fixes-2025-01-17' of https://g..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=107a69df980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=d1cb4a1f148c0861
dashboard link: https://syzkaller.appspot.com/bug?extid=827272712bd6d12c79a4
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=15783a18580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=17d6c2b0580000

Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/7feb34a89c2a/non_bootable_disk-9bffa1ad.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/0c65d8091a25/vmlinux-9bffa1ad.xz
kernel image: https://storage.googleapis.com/syzbot-assets/1d98f79a18b7/bzImage-9bffa1ad.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+827272712bd6d12c79a4@syzkaller.appspotmail.com

==================================================================
BUG: KASAN: slab-use-after-free in handle_tx+0x5a5/0x630 drivers/net/caif/caif_serial.c:236
Read of size 8 at addr ffff888027ef3020 by task aoe_tx0/1417

CPU: 3 UID: 0 PID: 1417 Comm: aoe_tx0 Not tainted 6.13.0-rc7-syzkaller-00149-g9bffa1ad25b8 #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0xc3/0x620 mm/kasan/report.c:489
 kasan_report+0xd9/0x110 mm/kasan/report.c:602
 handle_tx+0x5a5/0x630 drivers/net/caif/caif_serial.c:236
 __netdev_start_xmit include/linux/netdevice.h:5002 [inline]
 netdev_start_xmit include/linux/netdevice.h:5011 [inline]
 xmit_one net/core/dev.c:3620 [inline]
 dev_hard_start_xmit+0x9a/0x7b0 net/core/dev.c:3636
 __dev_queue_xmit+0x7f0/0x43e0 net/core/dev.c:4466
 dev_queue_xmit include/linux/netdevice.h:3168 [inline]
 tx+0xcc/0x190 drivers/block/aoe/aoenet.c:62
 kthread+0x1e7/0x3c0 drivers/block/aoe/aoecmd.c:1237
 kthread+0x2c1/0x3a0 kernel/kthread.c:389
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>

Allocated by task 9336:
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
 kasan_save_track+0x14/0x30 mm/kasan/common.c:68
 poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
 __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394
 kmalloc_noprof include/linux/slab.h:901 [inline]
 kzalloc_noprof include/linux/slab.h:1037 [inline]
 alloc_tty_struct+0x98/0x8d0 drivers/tty/tty_io.c:3116
 tty_init_dev.part.0+0x1e/0x660 drivers/tty/tty_io.c:1409
 tty_init_dev include/linux/err.h:67 [inline]
 tty_open_by_driver drivers/tty/tty_io.c:2082 [inline]
 tty_open+0xac1/0xf80 drivers/tty/tty_io.c:2129
 chrdev_open+0x237/0x6a0 fs/char_dev.c:414
 do_dentry_open+0xf59/0x1ea0 fs/open.c:945
 vfs_open+0x82/0x3f0 fs/open.c:1075
 do_open fs/namei.c:3828 [inline]
 path_openat+0x1e6a/0x2d60 fs/namei.c:3987
 do_filp_open+0x20c/0x470 fs/namei.c:4014
 do_sys_openat2+0x17a/0x1e0 fs/open.c:1402
 do_sys_open fs/open.c:1417 [inline]
 __do_sys_openat fs/open.c:1433 [inline]
 __se_sys_openat fs/open.c:1428 [inline]
 __x64_sys_openat+0x175/0x210 fs/open.c:1428
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Freed by task 3233:
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
 kasan_save_track+0x14/0x30 mm/kasan/common.c:68
 kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:582
 poison_slab_object mm/kasan/common.c:247 [inline]
 __kasan_slab_free+0x51/0x70 mm/kasan/common.c:264
 kasan_slab_free include/linux/kasan.h:233 [inline]
 slab_free_hook mm/slub.c:2353 [inline]
 slab_free mm/slub.c:4613 [inline]
 kfree+0x14f/0x4b0 mm/slub.c:4761
 process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3236
 process_scheduled_works kernel/workqueue.c:3317 [inline]
 worker_thread+0x6c8/0xf00 kernel/workqueue.c:3398
 kthread+0x2c1/0x3a0 kernel/kthread.c:389
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

Last potentially related work creation:
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
 __kasan_record_aux_stack+0xba/0xd0 mm/kasan/generic.c:544
 insert_work+0x36/0x230 kernel/workqueue.c:2183
 __queue_work+0x97e/0x1080 kernel/workqueue.c:2339
 queue_work_on+0x11a/0x140 kernel/workqueue.c:2390
 kref_put include/linux/kref.h:65 [inline]
 tty_kref_put drivers/tty/tty_io.c:1566 [inline]
 tty_kref_put drivers/tty/tty_io.c:1563 [inline]
 release_tty+0x4de/0x5d0 drivers/tty/tty_io.c:1602
 tty_release_struct+0xb7/0xe0 drivers/tty/tty_io.c:1701
 tty_release+0xe25/0x1410 drivers/tty/tty_io.c:1861
 __fput+0x3f8/0xb60 fs/file_table.c:450
 __fput_sync+0xa1/0xc0 fs/file_table.c:535
 __do_sys_close fs/open.c:1554 [inline]
 __se_sys_close fs/open.c:1539 [inline]
 __x64_sys_close+0x86/0x100 fs/open.c:1539
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff888027ef3000
 which belongs to the cache kmalloc-cg-2k of size 2048
The buggy address is located 32 bytes inside of
 freed 2048-byte region [ffff888027ef3000, ffff888027ef3800)

The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x27ef0
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
memcg:ffff88802da23f81
flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff88801b050140 dead000000000100 dead000000000122
raw: 0000000000000000 0000000000080008 00000001f5000000 ffff88802da23f81
head: 00fff00000000040 ffff88801b050140 dead000000000100 dead000000000122
head: 0000000000000000 0000000000080008 00000001f5000000 ffff88802da23f81
head: 00fff00000000003 ffffea00009fbc01 ffffffffffffffff 0000000000000000
head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5950, tgid 5950 (syz-executor374), ts 92233424258, free_ts 92129665975
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1558
 prep_new_page mm/page_alloc.c:1566 [inline]
 get_page_from_freelist+0xfce/0x2f80 mm/page_alloc.c:3476
 __alloc_pages_noprof+0x223/0x25b0 mm/page_alloc.c:4753
 alloc_pages_mpol_noprof+0x2c8/0x620 mm/mempolicy.c:2269
 alloc_slab_page mm/slub.c:2423 [inline]
 allocate_slab mm/slub.c:2589 [inline]
 new_slab+0x2c9/0x410 mm/slub.c:2642
 ___slab_alloc+0xd7d/0x17a0 mm/slub.c:3830
 __slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3920
 __slab_alloc_node mm/slub.c:3995 [inline]
 slab_alloc_node mm/slub.c:4156 [inline]
 __do_kmalloc_node mm/slub.c:4297 [inline]
 __kmalloc_node_noprof+0x2f0/0x510 mm/slub.c:4304
 __kvmalloc_node_noprof+0xad/0x1a0 mm/util.c:645
 kvmalloc_array_node_noprof include/linux/slab.h:1063 [inline]
 alloc_fdtable+0xee/0x2b0 fs/file.c:199
 dup_fd+0x83b/0xb90 fs/file.c:400
 copy_files kernel/fork.c:1797 [inline]
 copy_process+0x25d2/0x8e50 kernel/fork.c:2382
 kernel_clone+0xfd/0x960 kernel/fork.c:2806
 __do_sys_clone+0xba/0x100 kernel/fork.c:2949
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 6083 tgid 6083 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1127 [inline]
 free_unref_page+0x661/0x1080 mm/page_alloc.c:2659
 __put_partials+0x14c/0x170 mm/slub.c:3157
 qlink_free mm/kasan/quarantine.c:163 [inline]
 qlist_free_all+0x4e/0x120 mm/kasan/quarantine.c:179
 kasan_quarantine_reduce+0x195/0x1e0 mm/kasan/quarantine.c:286
 __kasan_slab_alloc+0x69/0x90 mm/kasan/common.c:329
 kasan_slab_alloc include/linux/kasan.h:250 [inline]
 slab_post_alloc_hook mm/slub.c:4119 [inline]
 slab_alloc_node mm/slub.c:4168 [inline]
 kmem_cache_alloc_noprof+0x226/0x3d0 mm/slub.c:4175
 getname_flags.part.0+0x4c/0x550 fs/namei.c:139
 getname_flags include/linux/audit.h:322 [inline]
 getname+0x8d/0xe0 fs/namei.c:223
 getname_maybe_null include/linux/fs.h:2796 [inline]
 vfs_fstatat+0xdf/0xf0 fs/stat.c:361
 __do_sys_newfstatat+0xa2/0x130 fs/stat.c:530
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Memory state around the buggy address:
 ffff888027ef2f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff888027ef2f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff888027ef3000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                               ^
 ffff888027ef3080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888027ef3100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================


---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

Re: [syzbot] [net?] KASAN: slab-use-after-free Read in handle_tx (2)

[Hillf Danton]

On Fri, 17 Jan 2025 09:11:25 -0800
> syzbot has found a reproducer for the following issue on:
> 
> HEAD commit:    9bffa1ad25b8 Merge tag 'drm-fixes-2025-01-17' of https://g..
> git tree:       upstream
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=17d6c2b0580000

#syz test

--- x/drivers/net/caif/caif_serial.c
+++ y/drivers/net/caif/caif_serial.c
@@ -304,11 +304,14 @@ static void ser_release(struct work_stru
 	spin_unlock(&ser_lock);
 
 	if (!list_empty(&list)) {
+		struct tty_struct *tty;
 		rtnl_lock();
 		list_for_each_entry_safe(ser, tmp, &list, node) {
+			tty = ser->tty;
 			dev_close(ser->dev);
 			unregister_netdevice(ser->dev);
 			debugfs_deinit(ser);
+			tty_kref_put(tty);
 		}
 		rtnl_unlock();
 	}
@@ -369,8 +372,6 @@ static void ldisc_close(struct tty_struc
 {
 	struct ser_device *ser = tty->disc_data;
 
-	tty_kref_put(ser->tty);
-
 	spin_lock(&ser_lock);
 	list_move(&ser->node, &ser_release_list);
 	spin_unlock(&ser_lock);
--

Re: [syzbot] [net?] KASAN: slab-use-after-free Read in handle_tx (2)

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
INFO: rcu detected stall in corrupted

rcu: INFO: rcu_preempt self-detected stall on CPU
rcu: 	0-....: (10502 ticks this GP) idle=53f4/1/0x4000000000000000 softirq=13718/13719 fqs=4654
rcu: 	         hardirqs   softirqs   csw/system
rcu: 	 number:        0          0            0
rcu: 	cputime:      104          0        52395   ==> 52510(ms)
rcu: 	(t=10502 jiffies g=11589 q=64997 ncpus=4)
CPU: 0 UID: 0 PID: 1415 Comm: aoe_tx0 Not tainted 6.13.0-rc7-syzkaller-g595523945be0-dirty #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
RIP: 0010:__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:152 [inline]
RIP: 0010:_raw_spin_unlock_irqrestore+0x31/0x80 kernel/locking/spinlock.c:194
Code: f5 53 48 8b 74 24 10 48 89 fb 48 83 c7 18 e8 76 22 4a f6 48 89 df e8 ce a1 4a f6 f7 c5 00 02 00 00 75 23 9c 58 f6 c4 02 75 37 <bf> 01 00 00 00 e8 c5 86 3b f6 65 8b 05 86 30 d7 74 85 c0 74 16 5b
RSP: 0018:ffffc90006d4f9e8 EFLAGS: 00000246
RAX: 0000000000000002 RBX: ffffffff9ab12620 RCX: 1ffffffff2dd995e
RDX: 0000000000000000 RSI: ffffffff8b6cd9e0 RDI: ffffffff8bd1efe0
RBP: 0000000000000293 R08: 0000000000000001 R09: fffffbfff2dca7be
R10: ffffffff96e53df7 R11: 0000000000000002 R12: ffffffff9ab12728
R13: 0000000000000003 R14: 0000000000000001 R15: 0000000000000003
FS:  0000000000000000(0000) GS:ffff88806a600000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000c00772e000 CR3: 000000000df7e000 CR4: 0000000000352ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <IRQ>
 </IRQ>
 <TASK>
 spin_unlock_irqrestore include/linux/spinlock.h:406 [inline]
 uart_port_unlock_irqrestore include/linux/serial_core.h:786 [inline]
 uart_write+0x4c1/0xb30 drivers/tty/serial/serial_core.c:628
 handle_tx+0x203/0x630 drivers/net/caif/caif_serial.c:236
 __netdev_start_xmit include/linux/netdevice.h:5002 [inline]
 netdev_start_xmit include/linux/netdevice.h:5011 [inline]
 xmit_one net/core/dev.c:3620 [inline]
 dev_hard_start_xmit+0x9a/0x7b0 net/core/dev.c:3636
 __dev_queue_xmit+0x7f0/0x43e0 net/core/dev.c:4466
 dev_queue_xmit include/linux/netdevice.h:3168 [inline]
 tx+0xcc/0x190 drivers/block/aoe/aoenet.c:62
 kthread+0x1e7/0x3c0 drivers/block/aoe/aoecmd.c:1237
 kthread+0x2c1/0x3a0 kernel/kthread.c:389
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>


Tested on:

commit:         59552394 Merge tag 'devicetree-fixes-for-6.13-2' of gi..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1567e9df980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=d1cb4a1f148c0861
dashboard link: https://syzkaller.appspot.com/bug?extid=827272712bd6d12c79a4
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=111a4164580000

Forwarded: KASAN: slab-use-after-free Read in handle_tx (2)

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: KASAN: slab-use-after-free Read in handle_tx (2)
Author: viswanathiyyappan@gmail.com

#syz test

Forwarded: KASAN: slab-use-after-free Read in handle_tx (2) Inbox

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: KASAN: slab-use-after-free Read in handle_tx (2) Inbox
Author: viswanathiyyappan@gmail.com

#syz test