* [syzbot] [bpf?] KASAN: slab-use-after-free Write in defer_free
@ 2025-12-08 8:58 syzbot
2025-12-10 1:44 ` Forwarded: [PATCH] mm/slub: reset KASAN tag in defer_free() before accessing freed memory syzbot
0 siblings, 1 reply; 2+ messages in thread
From: syzbot @ 2025-12-08 8:58 UTC (permalink / raw)
To: andrii, ast, bpf, daniel, eddyz87, haoluo, john.fastabend, jolsa,
kpsingh, linux-kernel, martin.lau, sdf, song, syzkaller-bugs,
yonghong.song
Hello,
syzbot found the following issue on:
HEAD commit: 559e608c4655 Merge tag 'ntfs3_for_6.19' of https://github...
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1080b192580000
kernel config: https://syzkaller.appspot.com/x/.config?x=35a67601c980c167
dashboard link: https://syzkaller.appspot.com/bug?extid=7a25305a76d872abcfa1
compiler: aarch64-linux-gnu-gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1574b01a580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16a33cc2580000
Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/fa3fbcfdac58/non_bootable_disk-559e608c.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/5ff565203729/vmlinux-559e608c.xz
kernel image: https://storage.googleapis.com/syzbot-assets/28d6e57737b9/Image-559e608c.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+7a25305a76d872abcfa1@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: slab-use-after-free in defer_free+0x3c/0xbc mm/slub.c:6537
Write at addr f3f000000854f020 by task kworker/u8:6/983
Pointer tag: [f3], memory tag: [fe]
CPU: 0 UID: 0 PID: 983 Comm: kworker/u8:6 Not tainted syzkaller #0 PREEMPT
Hardware name: linux,dummy-virt (DT)
Workqueue: events_unbound bpf_map_free_deferred
Call trace:
show_stack+0x18/0x24 arch/arm64/kernel/stacktrace.c:499 (C)
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x78/0x90 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0x108/0x61c mm/kasan/report.c:482
kasan_report+0x88/0xac mm/kasan/report.c:595
report_tag_fault arch/arm64/mm/fault.c:330 [inline]
do_tag_recovery arch/arm64/mm/fault.c:342 [inline]
__do_kernel_fault+0x170/0x1c8 arch/arm64/mm/fault.c:384
do_bad_area+0x68/0x78 arch/arm64/mm/fault.c:484
do_tag_check_fault+0x34/0x44 arch/arm64/mm/fault.c:857
do_mem_abort+0x44/0x94 arch/arm64/mm/fault.c:933
el1_abort+0x44/0x68 arch/arm64/kernel/entry-common.c:303
el1h_64_sync_handler+0x50/0xac arch/arm64/kernel/entry-common.c:437
el1h_64_sync+0x6c/0x70 arch/arm64/kernel/entry.S:591
defer_free+0x3c/0xbc mm/slub.c:6537 (P)
do_slab_free mm/slub.c:6619 [inline]
kfree_nolock+0x1a0/0x1d4 mm/slub.c:6930
range_tree_destroy+0x74/0x90 kernel/bpf/range_tree.c:253
arena_map_free+0x64/0x90 kernel/bpf/arena.c:196
bpf_map_free kernel/bpf/syscall.c:894 [inline]
bpf_map_free_deferred+0x70/0x180 kernel/bpf/syscall.c:921
process_one_work+0x178/0x2cc kernel/workqueue.c:3257
process_scheduled_works kernel/workqueue.c:3340 [inline]
worker_thread+0x24c/0x354 kernel/workqueue.c:3421
kthread+0x130/0x1fc kernel/kthread.c:463
ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860
Allocated by task 3570:
kasan_save_stack+0x3c/0x64 mm/kasan/common.c:56
save_stack_info+0x40/0x158 mm/kasan/tags.c:106
kasan_save_alloc_info+0x14/0x20 mm/kasan/tags.c:142
poison_kmalloc_redzone mm/kasan/common.c:400 [inline]
poison_kmalloc_redzone mm/kasan/common.c:373 [inline]
__kasan_kmalloc+0xb4/0xb8 mm/kasan/common.c:417
kasan_kmalloc include/linux/kasan.h:262 [inline]
kmalloc_nolock_noprof+0x1dc/0x4fc mm/slub.c:5751
range_tree_set+0x644/0x778 kernel/bpf/range_tree.c:237
arena_map_alloc+0x11c/0x17c kernel/bpf/arena.c:141
map_create+0x19c/0xa98 kernel/bpf/syscall.c:1514
__sys_bpf+0x348/0x1a88 kernel/bpf/syscall.c:6146
__do_sys_bpf kernel/bpf/syscall.c:6274 [inline]
__se_sys_bpf kernel/bpf/syscall.c:6272 [inline]
__arm64_sys_bpf+0x24/0x34 kernel/bpf/syscall.c:6272
__invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
invoke_syscall+0x48/0x110 arch/arm64/kernel/syscall.c:49
el0_svc_common.constprop.0+0x40/0xe0 arch/arm64/kernel/syscall.c:132
do_el0_svc+0x1c/0x28 arch/arm64/kernel/syscall.c:151
el0_svc+0x34/0x128 arch/arm64/kernel/entry-common.c:724
el0t_64_sync_handler+0xa0/0xe4 arch/arm64/kernel/entry-common.c:743
el0t_64_sync+0x1a4/0x1a8 arch/arm64/kernel/entry.S:596
Freed by task 983:
kasan_save_stack+0x3c/0x64 mm/kasan/common.c:56
save_stack_info+0x40/0x158 mm/kasan/tags.c:106
__kasan_save_free_info+0x18/0x24 mm/kasan/tags.c:147
kasan_save_free_info mm/kasan/kasan.h:406 [inline]
poison_slab_object mm/kasan/common.c:252 [inline]
__kasan_slab_free+0x80/0x84 mm/kasan/common.c:284
kasan_slab_free include/linux/kasan.h:234 [inline]
kfree_nolock+0xcc/0x1d4 mm/slub.c:6929
range_tree_destroy+0x74/0x90 kernel/bpf/range_tree.c:253
arena_map_free+0x64/0x90 kernel/bpf/arena.c:196
bpf_map_free kernel/bpf/syscall.c:894 [inline]
bpf_map_free_deferred+0x70/0x180 kernel/bpf/syscall.c:921
process_one_work+0x178/0x2cc kernel/workqueue.c:3257
process_scheduled_works kernel/workqueue.c:3340 [inline]
worker_thread+0x24c/0x354 kernel/workqueue.c:3421
kthread+0x130/0x1fc kernel/kthread.c:463
ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860
The buggy address belongs to the object at fff000000854f000
which belongs to the cache kmalloc-64 of size 64
The buggy address is located 32 bytes inside of
64-byte region [fff000000854f000, fff000000854f040)
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xfbf000000854f200 pfn:0x4854f
flags: 0x1ffc00000000000(node=0|zone=0|lastcpupid=0x7ff|kasantag=0x0)
page_type: f5(slab)
raw: 01ffc00000000000 f9f0000003001600 dead000000000100 dead000000000122
raw: fbf000000854f200 000000008040003f 00000000f5000000 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
fff000000854ee00: f6 f6 f7 f7 fa fa f9 f9 f5 f5 fb fb f6 f6 fc fc
fff000000854ef00: f8 f8 f6 f6 f0 f0 f2 f2 f9 f9 f2 f2 f0 f0 fb fb
>fff000000854f000: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
^
fff000000854f100: fa fa fa fe fe fe fe fe fe fe fe fe fe fe fe fe
fff000000854f200: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
^ permalink raw reply [flat|nested] 2+ messages in thread* Forwarded: [PATCH] mm/slub: reset KASAN tag in defer_free() before accessing freed memory
2025-12-08 8:58 [syzbot] [bpf?] KASAN: slab-use-after-free Write in defer_free syzbot
@ 2025-12-10 1:44 ` syzbot
0 siblings, 0 replies; 2+ messages in thread
From: syzbot @ 2025-12-10 1:44 UTC (permalink / raw)
To: linux-kernel, syzkaller-bugs
For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.
***
Subject: [PATCH] mm/slub: reset KASAN tag in defer_free() before accessing freed memory
Author: kartikey406@gmail.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
When CONFIG_SLUB_TINY is enabled, kfree_nolock() calls kasan_slab_free()
before defer_free(). On ARM64 with MTE (Memory Tagging Extension),
kasan_slab_free() poisons the memory and changes the tag from the
original (e.g., 0xf3) to a poison tag (0xfe).
When defer_free() then tries to write to the freed object to build the
deferred free list via llist_add(), the pointer still has the old tag,
causing a tag mismatch and triggering a KASAN use-after-free report:
BUG: KASAN: slab-use-after-free in defer_free+0x3c/0xbc mm/slub.c:6537
Write at addr f3f000000854f020 by task kworker/u8:6/983
Pointer tag: [f3], memory tag: [fe]
Fix this by calling kasan_reset_tag() before accessing the freed memory.
This is safe because defer_free() is part of the allocator itself and is
expected to manipulate freed memory for bookkeeping purposes.
Fixes: af92793e52c3 ("slab: Introduce kmalloc_nolock() and kfree_nolock()")
Closes: https://syzkaller.appspot.com/bug?extid=7a25305a76d872abcfa1
Reported-by: syzbot+7a25305a76d872abcfa1@syzkaller.appspotmail.com
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
---
mm/slub.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/mm/slub.c b/mm/slub.c
index e6a330e24145..46959c6da2cf 100644
--- a/mm/slub.c
+++ b/mm/slub.c
@@ -6534,6 +6534,8 @@ static void defer_free(struct kmem_cache *s, void *head)
guard(preempt)();
+ head = kasan_reset_tag(head);
+
df = this_cpu_ptr(&defer_free_objects);
if (llist_add(head + s->offset, &df->objects))
irq_work_queue(&df->work);
--
2.43.0
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2025-12-10 1:44 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-12-08 8:58 [syzbot] [bpf?] KASAN: slab-use-after-free Write in defer_free syzbot
2025-12-10 1:44 ` Forwarded: [PATCH] mm/slub: reset KASAN tag in defer_free() before accessing freed memory syzbot
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.