From: syzbot <syzbot+827272712bd6d12c79a4@syzkaller.appspotmail.com>
To: linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com,
viswanathiyyappan@gmail.com
Subject: Re: [syzbot] [net?] KASAN: slab-use-after-free Read in handle_tx (2)
Date: Thu, 06 Nov 2025 06:50:02 -0800 [thread overview]
Message-ID: <690cb59a.050a0220.3d0d33.015e.GAE@google.com> (raw)
In-Reply-To: <CAPrAcgMMMYxF=Cw+rwEHuPJJ=4bCyukCh8ptS9M4iQTbWEd+yw@mail.gmail.com>
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-use-after-free Read in ser_release
==================================================================
BUG: KASAN: slab-use-after-free in ser_release+0x39c/0x3b0 drivers/net/caif/caif_serial.c:303
Read of size 8 at addr ffff8880355fed98 by task kworker/3:0/34
CPU: 3 UID: 0 PID: 34 Comm: kworker/3:0 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Workqueue: events ser_release
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xcd/0x630 mm/kasan/report.c:482
kasan_report+0xe0/0x110 mm/kasan/report.c:595
ser_release+0x39c/0x3b0 drivers/net/caif/caif_serial.c:303
process_one_work+0x9cf/0x1b70 kernel/workqueue.c:3263
process_scheduled_works kernel/workqueue.c:3346 [inline]
worker_thread+0x6c8/0xf10 kernel/workqueue.c:3427
kthread+0x3c5/0x780 kernel/kthread.c:463
ret_from_fork+0x675/0x7d0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
Allocated by task 6406:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:56
kasan_save_track+0x14/0x30 mm/kasan/common.c:77
poison_kmalloc_redzone mm/kasan/common.c:400 [inline]
__kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:417
kasan_kmalloc include/linux/kasan.h:262 [inline]
__do_kmalloc_node mm/slub.c:5642 [inline]
__kvmalloc_node_noprof+0x3a3/0x9c0 mm/slub.c:7100
alloc_netdev_mqs+0xd7/0x1550 net/core/dev.c:11900
ldisc_open+0x155/0x970 drivers/net/caif/caif_serial.c:331
tty_ldisc_open+0x9f/0x120 drivers/tty/tty_ldisc.c:432
tty_set_ldisc+0x32b/0x780 drivers/tty/tty_ldisc.c:563
tiocsetd drivers/tty/tty_io.c:2429 [inline]
tty_ioctl+0xc2d/0x1680 drivers/tty/tty_io.c:2728
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0xfa0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Freed by task 34:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:56
kasan_save_track+0x14/0x30 mm/kasan/common.c:77
__kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:587
kasan_save_free_info mm/kasan/kasan.h:406 [inline]
poison_slab_object mm/kasan/common.c:252 [inline]
__kasan_slab_free+0x5f/0x80 mm/kasan/common.c:284
kasan_slab_free include/linux/kasan.h:234 [inline]
slab_free_hook mm/slub.c:2539 [inline]
slab_free mm/slub.c:6630 [inline]
kfree+0x2b8/0x6d0 mm/slub.c:6837
device_release+0xa4/0x240 drivers/base/core.c:2565
kobject_cleanup lib/kobject.c:689 [inline]
kobject_release lib/kobject.c:720 [inline]
kref_put include/linux/kref.h:65 [inline]
kobject_put+0x1e7/0x5a0 lib/kobject.c:737
netdev_run_todo+0x7e9/0x1320 net/core/dev.c:11601
ser_release+0x1ca/0x3b0 drivers/net/caif/caif_serial.c:298
process_one_work+0x9cf/0x1b70 kernel/workqueue.c:3263
process_scheduled_works kernel/workqueue.c:3346 [inline]
worker_thread+0x6c8/0xf10 kernel/workqueue.c:3427
kthread+0x3c5/0x780 kernel/kthread.c:463
ret_from_fork+0x675/0x7d0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
The buggy address belongs to the object at ffff8880355fe000
which belongs to the cache kmalloc-cg-4k of size 4096
The buggy address is located 3480 bytes inside of
freed 4096-byte region [ffff8880355fe000, ffff8880355ff000)
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x355f8
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
memcg:ffff88802c472741
flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff88801b04c280 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000040004 00000000f5000000 ffff88802c472741
head: 00fff00000000040 ffff88801b04c280 dead000000000122 0000000000000000
head: 0000000000000000 0000000000040004 00000000f5000000 ffff88802c472741
head: 00fff00000000003 ffffea0000d57e01 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 6200, tgid 6200 (udevd), ts 91632676821, free_ts 89805144993
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x1c0/0x230 mm/page_alloc.c:1850
prep_new_page mm/page_alloc.c:1858 [inline]
get_page_from_freelist+0x10a3/0x3a30 mm/page_alloc.c:3884
__alloc_frozen_pages_noprof+0x25f/0x2470 mm/page_alloc.c:5183
alloc_pages_mpol+0x1fb/0x550 mm/mempolicy.c:2416
alloc_slab_page mm/slub.c:3055 [inline]
allocate_slab mm/slub.c:3228 [inline]
new_slab+0x24a/0x360 mm/slub.c:3282
___slab_alloc+0xdae/0x1a60 mm/slub.c:4651
__slab_alloc.constprop.0+0x63/0x110 mm/slub.c:4770
__slab_alloc_node mm/slub.c:4846 [inline]
slab_alloc_node mm/slub.c:5268 [inline]
__do_kmalloc_node mm/slub.c:5641 [inline]
__kvmalloc_node_noprof+0x5aa/0x9c0 mm/slub.c:7100
seq_buf_alloc fs/seq_file.c:38 [inline]
seq_read_iter+0x830/0x12d0 fs/seq_file.c:210
proc_reg_read_iter+0x11b/0x310 fs/proc/inode.c:295
new_sync_read fs/read_write.c:491 [inline]
vfs_read+0x8bf/0xcf0 fs/read_write.c:572
ksys_read+0x12a/0x250 fs/read_write.c:715
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0xfa0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 6346 tgid 6346 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1394 [inline]
__free_frozen_pages+0x7df/0x1160 mm/page_alloc.c:2906
vfree+0x1fd/0xb50 mm/vmalloc.c:3440
kcov_put kernel/kcov.c:439 [inline]
kcov_put kernel/kcov.c:435 [inline]
kcov_close+0x34/0x60 kernel/kcov.c:535
__fput+0x402/0xb70 fs/file_table.c:468
task_work_run+0x150/0x240 kernel/task_work.c:227
exit_task_work include/linux/task_work.h:40 [inline]
do_exit+0x86f/0x2bf0 kernel/exit.c:966
do_group_exit+0xd3/0x2a0 kernel/exit.c:1107
get_signal+0x2671/0x26d0 kernel/signal.c:3034
arch_do_signal_or_restart+0x8f/0x7c0 arch/x86/kernel/signal.c:337
exit_to_user_mode_loop+0x85/0x130 kernel/entry/common.c:40
exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]
syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline]
syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline]
do_syscall_64+0x426/0xfa0 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Memory state around the buggy address:
ffff8880355fec80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880355fed00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8880355fed80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8880355fee00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880355fee80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Tested on:
commit: dc77806c Merge tag 'rust-fixes-6.18' of git://git.kern..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=13702a58580000
kernel config: https://syzkaller.appspot.com/x/.config?x=f009a9a8d50667
dashboard link: https://syzkaller.appspot.com/bug?extid=827272712bd6d12c79a4
compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=15a29084580000
next parent reply other threads:[~2025-11-06 14:50 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CAPrAcgMMMYxF=Cw+rwEHuPJJ=4bCyukCh8ptS9M4iQTbWEd+yw@mail.gmail.com>
2025-11-06 14:50 ` syzbot [this message]
[not found] <CAPrAcgOWmK1FLk8r0LszmPO3ysPi4G+EJw=YcSg3o6Ozy1wGbw@mail.gmail.com>
2025-11-06 15:28 ` [syzbot] [net?] KASAN: slab-use-after-free Read in handle_tx (2) syzbot
2024-02-21 10:58 syzbot
2024-02-21 11:05 ` Eric Dumazet
2025-01-14 1:26 ` syzbot
2025-01-17 17:11 ` syzbot
2025-01-18 11:05 ` Hillf Danton
2025-01-18 11:21 ` syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=690cb59a.050a0220.3d0d33.015e.GAE@google.com \
--to=syzbot+827272712bd6d12c79a4@syzkaller.appspotmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=syzkaller-bugs@googlegroups.com \
--cc=viswanathiyyappan@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.