* [syzbot] [media?] [usb?] KASAN: slab-use-after-free Read in v4l2_release
@ 2024-11-19 18:42 syzbot
2025-01-26 16:12 ` Nikita Zhandarovich
2025-01-27 11:23 ` Nikita Zhandarovich
0 siblings, 2 replies; 5+ messages in thread
From: syzbot @ 2024-11-19 18:42 UTC (permalink / raw)
To: linux-kernel, linux-media, linux-usb, mchehab, syzkaller-bugs
Hello,
syzbot found the following issue on:
HEAD commit: cfaaa7d010d1 Merge tag 'net-6.12-rc8' of git://git.kernel...
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1365b1a7980000
kernel config: https://syzkaller.appspot.com/x/.config?x=327b6119dd928cbc
dashboard link: https://syzkaller.appspot.com/bug?extid=6b52c2b24e341804a58c
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12d7dcc0580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11176b5f980000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/165690e61317/disk-cfaaa7d0.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/f9a0f36bc43c/vmlinux-cfaaa7d0.xz
kernel image: https://storage.googleapis.com/syzbot-assets/6e15e2011b02/bzImage-cfaaa7d0.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+6b52c2b24e341804a58c@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: slab-use-after-free in v4l2_release+0x3e2/0x460 drivers/media/v4l2-core/v4l2-dev.c:453
Read of size 8 at addr ffff8880502e80c8 by task v4l_id/7854
CPU: 1 UID: 0 PID: 7854 Comm: v4l_id Not tainted 6.12.0-rc7-syzkaller-00125-gcfaaa7d010d1 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/30/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:377 [inline]
print_report+0xc3/0x620 mm/kasan/report.c:488
kasan_report+0xd9/0x110 mm/kasan/report.c:601
v4l2_release+0x3e2/0x460 drivers/media/v4l2-core/v4l2-dev.c:453
__fput+0x3f6/0xb60 fs/file_table.c:431
__fput_sync+0x45/0x50 fs/file_table.c:516
__do_sys_close fs/open.c:1567 [inline]
__se_sys_close fs/open.c:1552 [inline]
__x64_sys_close+0x86/0x100 fs/open.c:1552
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fb945b170a8
Code: 48 8b 05 83 9d 0d 00 64 c7 00 16 00 00 00 83 c8 ff 48 83 c4 20 5b c3 64 8b 04 25 18 00 00 00 85 c0 75 20 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 76 5b 48 8b 15 51 9d 0d 00 f7 d8 64 89 02 48 83
RSP: 002b:00007ffce37bdcf8 EFLAGS: 00000246 ORIG_RAX: 0000000000000003
RAX: ffffffffffffffda RBX: 00007fb945ecdce0 RCX: 00007fb945b170a8
RDX: 0000000000000001 RSI: 000055f495dc60e7 RDI: 0000000000000003
RBP: 0000000000000003 R08: 0000000000000006 R09: 0000000000000000
R10: 000055f495dc60e1 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffce37bdef0 R14: 000055f495dbf670 R15: 00007fb945fb3a80
</TASK>
Allocated by task 6058:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
kasan_save_track+0x14/0x30 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
__kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394
kmalloc_noprof include/linux/slab.h:878 [inline]
kzalloc_noprof include/linux/slab.h:1014 [inline]
hackrf_probe+0xd1/0x1cf0 drivers/media/usb/hackrf/hackrf.c:1353
usb_probe_interface+0x309/0x9d0 drivers/usb/core/driver.c:399
call_driver_probe drivers/base/dd.c:579 [inline]
really_probe+0x23e/0xa90 drivers/base/dd.c:658
__driver_probe_device+0x1de/0x440 drivers/base/dd.c:800
driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:830
__device_attach_driver+0x1df/0x310 drivers/base/dd.c:958
bus_for_each_drv+0x157/0x1e0 drivers/base/bus.c:459
__device_attach+0x1e8/0x4b0 drivers/base/dd.c:1030
bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:534
device_add+0x114b/0x1a70 drivers/base/core.c:3672
usb_set_configuration+0x10cb/0x1c50 drivers/usb/core/message.c:2210
usb_generic_driver_probe+0xb1/0x110 drivers/usb/core/generic.c:254
usb_probe_device+0xec/0x3e0 drivers/usb/core/driver.c:294
call_driver_probe drivers/base/dd.c:579 [inline]
really_probe+0x23e/0xa90 drivers/base/dd.c:658
__driver_probe_device+0x1de/0x440 drivers/base/dd.c:800
driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:830
__device_attach_driver+0x1df/0x310 drivers/base/dd.c:958
bus_for_each_drv+0x157/0x1e0 drivers/base/bus.c:459
__device_attach+0x1e8/0x4b0 drivers/base/dd.c:1030
bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:534
device_add+0x114b/0x1a70 drivers/base/core.c:3672
usb_new_device+0xd90/0x1a10 drivers/usb/core/hub.c:2651
hub_port_connect drivers/usb/core/hub.c:5521 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5661 [inline]
port_event drivers/usb/core/hub.c:5821 [inline]
hub_event+0x2d9a/0x4e10 drivers/usb/core/hub.c:5903
process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229
process_scheduled_works kernel/workqueue.c:3310 [inline]
worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391
kthread+0x2c1/0x3a0 kernel/kthread.c:389
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
Freed by task 6058:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
kasan_save_track+0x14/0x30 mm/kasan/common.c:68
kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:579
poison_slab_object mm/kasan/common.c:247 [inline]
__kasan_slab_free+0x51/0x70 mm/kasan/common.c:264
kasan_slab_free include/linux/kasan.h:230 [inline]
slab_free_hook mm/slub.c:2342 [inline]
slab_free mm/slub.c:4579 [inline]
kfree+0x14f/0x4b0 mm/slub.c:4727
hackrf_probe+0x4c9/0x1cf0 drivers/media/usb/hackrf/hackrf.c:1525
usb_probe_interface+0x309/0x9d0 drivers/usb/core/driver.c:399
call_driver_probe drivers/base/dd.c:579 [inline]
really_probe+0x23e/0xa90 drivers/base/dd.c:658
__driver_probe_device+0x1de/0x440 drivers/base/dd.c:800
driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:830
__device_attach_driver+0x1df/0x310 drivers/base/dd.c:958
bus_for_each_drv+0x157/0x1e0 drivers/base/bus.c:459
__device_attach+0x1e8/0x4b0 drivers/base/dd.c:1030
bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:534
device_add+0x114b/0x1a70 drivers/base/core.c:3672
usb_set_configuration+0x10cb/0x1c50 drivers/usb/core/message.c:2210
usb_generic_driver_probe+0xb1/0x110 drivers/usb/core/generic.c:254
usb_probe_device+0xec/0x3e0 drivers/usb/core/driver.c:294
call_driver_probe drivers/base/dd.c:579 [inline]
really_probe+0x23e/0xa90 drivers/base/dd.c:658
__driver_probe_device+0x1de/0x440 drivers/base/dd.c:800
driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:830
__device_attach_driver+0x1df/0x310 drivers/base/dd.c:958
bus_for_each_drv+0x157/0x1e0 drivers/base/bus.c:459
__device_attach+0x1e8/0x4b0 drivers/base/dd.c:1030
bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:534
device_add+0x114b/0x1a70 drivers/base/core.c:3672
usb_new_device+0xd90/0x1a10 drivers/usb/core/hub.c:2651
hub_port_connect drivers/usb/core/hub.c:5521 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5661 [inline]
port_event drivers/usb/core/hub.c:5821 [inline]
hub_event+0x2d9a/0x4e10 drivers/usb/core/hub.c:5903
process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229
process_scheduled_works kernel/workqueue.c:3310 [inline]
worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391
kthread+0x2c1/0x3a0 kernel/kthread.c:389
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
The buggy address belongs to the object at ffff8880502e8000
which belongs to the cache kmalloc-8k of size 8192
The buggy address is located 200 bytes inside of
freed 8192-byte region [ffff8880502e8000, ffff8880502ea000)
The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x502e8
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff88801b042280 dead000000000100 dead000000000122
raw: 0000000000000000 0000000080020002 00000001f5000000 0000000000000000
head: 00fff00000000040 ffff88801b042280 dead000000000100 dead000000000122
head: 0000000000000000 0000000080020002 00000001f5000000 0000000000000000
head: 00fff00000000003 ffffea000140ba01 ffffffffffffffff 0000000000000000
head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5204, tgid 5204 (S10udev), ts 13144656310, free_ts 10453105280
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1556
prep_new_page mm/page_alloc.c:1564 [inline]
get_page_from_freelist+0xfce/0x2f80 mm/page_alloc.c:3474
__alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4750
alloc_pages_mpol_noprof+0x2c9/0x610 mm/mempolicy.c:2265
alloc_slab_page mm/slub.c:2412 [inline]
allocate_slab mm/slub.c:2578 [inline]
new_slab+0x2c9/0x410 mm/slub.c:2631
___slab_alloc+0xdac/0x1880 mm/slub.c:3818
__slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3908
__slab_alloc_node mm/slub.c:3961 [inline]
slab_alloc_node mm/slub.c:4122 [inline]
__kmalloc_cache_noprof+0x2b4/0x300 mm/slub.c:4290
kmalloc_noprof include/linux/slab.h:878 [inline]
kzalloc_noprof include/linux/slab.h:1014 [inline]
tomoyo_print_bprm security/tomoyo/audit.c:26 [inline]
tomoyo_init_log+0xcb3/0x2170 security/tomoyo/audit.c:264
tomoyo_supervisor+0x30c/0xea0 security/tomoyo/common.c:2089
tomoyo_audit_env_log security/tomoyo/environ.c:36 [inline]
tomoyo_env_perm+0x193/0x210 security/tomoyo/environ.c:63
tomoyo_environ security/tomoyo/domain.c:672 [inline]
tomoyo_find_next_domain+0xe8e/0x2070 security/tomoyo/domain.c:881
tomoyo_bprm_check_security security/tomoyo/tomoyo.c:102 [inline]
tomoyo_bprm_check_security+0x12b/0x1d0 security/tomoyo/tomoyo.c:92
security_bprm_check+0x1b9/0x1e0 security/security.c:1297
search_binary_handler fs/exec.c:1740 [inline]
exec_binprm fs/exec.c:1794 [inline]
bprm_execve fs/exec.c:1845 [inline]
bprm_execve+0x642/0x1960 fs/exec.c:1821
do_execveat_common.isra.0+0x4f1/0x630 fs/exec.c:1952
page last free pid 1 tgid 1 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1127 [inline]
free_unref_page+0x661/0x1080 mm/page_alloc.c:2657
free_contig_range+0x133/0x3f0 mm/page_alloc.c:6765
destroy_args+0xa87/0xe60 mm/debug_vm_pgtable.c:1017
debug_vm_pgtable+0x168e/0x31a0 mm/debug_vm_pgtable.c:1397
do_one_initcall+0x128/0x700 init/main.c:1269
do_initcall_level init/main.c:1331 [inline]
do_initcalls init/main.c:1347 [inline]
do_basic_setup init/main.c:1366 [inline]
kernel_init_freeable+0x5c7/0x900 init/main.c:1580
kernel_init+0x1c/0x2b0 init/main.c:1469
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
Memory state around the buggy address:
ffff8880502e7f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8880502e8000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8880502e8080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8880502e8100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880502e8180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [syzbot] [media?] [usb?] KASAN: slab-use-after-free Read in v4l2_release
2024-11-19 18:42 [syzbot] [media?] [usb?] KASAN: slab-use-after-free Read in v4l2_release syzbot
@ 2025-01-26 16:12 ` Nikita Zhandarovich
2025-01-26 16:37 ` syzbot
2025-01-27 11:23 ` Nikita Zhandarovich
1 sibling, 1 reply; 5+ messages in thread
From: Nikita Zhandarovich @ 2025-01-26 16:12 UTC (permalink / raw)
To: syzbot+6b52c2b24e341804a58c
Cc: Nikita Zhandarovich, syzkaller-bugs, linux-kernel
Try fixing the order of releasing things in case of a faulty
device registation.
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
---
drivers/media/usb/hackrf/hackrf.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/media/usb/hackrf/hackrf.c b/drivers/media/usb/hackrf/hackrf.c
index 0b50de8775a3..bc910b35f605 100644
--- a/drivers/media/usb/hackrf/hackrf.c
+++ b/drivers/media/usb/hackrf/hackrf.c
@@ -1513,12 +1513,12 @@ static int hackrf_probe(struct usb_interface *intf,
return 0;
err_video_unregister_device_rx:
video_unregister_device(&dev->rx_vdev);
-err_v4l2_device_unregister:
- v4l2_device_unregister(&dev->v4l2_dev);
err_v4l2_ctrl_handler_free_tx:
v4l2_ctrl_handler_free(&dev->tx_ctrl_handler);
err_v4l2_ctrl_handler_free_rx:
v4l2_ctrl_handler_free(&dev->rx_ctrl_handler);
+err_v4l2_device_unregister:
+ v4l2_device_unregister(&dev->v4l2_dev);
err_kfree:
kfree(dev);
err:
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [syzbot] [media?] [usb?] KASAN: slab-use-after-free Read in v4l2_release
2025-01-26 16:12 ` Nikita Zhandarovich
@ 2025-01-26 16:37 ` syzbot
0 siblings, 0 replies; 5+ messages in thread
From: syzbot @ 2025-01-26 16:37 UTC (permalink / raw)
To: linux-kernel, n.zhandarovich, syzkaller-bugs
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+6b52c2b24e341804a58c@syzkaller.appspotmail.com
Tested-by: syzbot+6b52c2b24e341804a58c@syzkaller.appspotmail.com
Tested on:
commit: aa22f4da Merge tag 'rproc-v6.14' of git://git.kernel.o..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
console output: https://syzkaller.appspot.com/x/log.txt?x=17053624580000
kernel config: https://syzkaller.appspot.com/x/.config?x=9d8d1812e6d1408
dashboard link: https://syzkaller.appspot.com/bug?extid=6b52c2b24e341804a58c
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=13a93624580000
Note: testing is done by a robot and is best-effort only.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [syzbot] [media?] [usb?] KASAN: slab-use-after-free Read in v4l2_release
2024-11-19 18:42 [syzbot] [media?] [usb?] KASAN: slab-use-after-free Read in v4l2_release syzbot
2025-01-26 16:12 ` Nikita Zhandarovich
@ 2025-01-27 11:23 ` Nikita Zhandarovich
2025-01-27 17:24 ` syzbot
1 sibling, 1 reply; 5+ messages in thread
From: Nikita Zhandarovich @ 2025-01-27 11:23 UTC (permalink / raw)
To: syzbot+6b52c2b24e341804a58c
Cc: Nikita Zhandarovich, syzkaller-bugs, linux-kernel
Check if the issue is still active.
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [syzbot] [media?] [usb?] KASAN: slab-use-after-free Read in v4l2_release
2025-01-27 11:23 ` Nikita Zhandarovich
@ 2025-01-27 17:24 ` syzbot
0 siblings, 0 replies; 5+ messages in thread
From: syzbot @ 2025-01-27 17:24 UTC (permalink / raw)
To: linux-kernel, n.zhandarovich, syzkaller-bugs
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
INFO: task hung in reg_process_self_managed_hints
INFO: task kworker/0:1:9 blocked for more than 143 seconds.
Not tainted 6.13.0-syzkaller-08265-g9c5968db9e62 #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:kworker/0:1 state:D stack:26592 pid:9 tgid:9 ppid:2 task_flags:0x4208060 flags:0x00004000
Workqueue: events reg_todo
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5377 [inline]
__schedule+0xf43/0x5890 kernel/sched/core.c:6764
__schedule_loop kernel/sched/core.c:6841 [inline]
schedule+0xe7/0x350 kernel/sched/core.c:6856
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6913
__mutex_lock_common kernel/locking/mutex.c:662 [inline]
__mutex_lock+0x6bd/0xb10 kernel/locking/mutex.c:730
class_wiphy_constructor include/net/cfg80211.h:6061 [inline]
reg_process_self_managed_hints+0x95/0x1f0 net/wireless/reg.c:3206
reg_todo+0x684/0x910 net/wireless/reg.c:3219
process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3236
process_scheduled_works kernel/workqueue.c:3317 [inline]
worker_thread+0x6c8/0xf00 kernel/workqueue.c:3398
kthread+0x3af/0x750 kernel/kthread.c:464
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
INFO: task kworker/u8:2:33 blocked for more than 143 seconds.
Not tainted 6.13.0-syzkaller-08265-g9c5968db9e62 #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:kworker/u8:2 state:D stack:21856 pid:33 tgid:33 ppid:2 task_flags:0x4208160 flags:0x00004000
Workqueue: ipv6_addrconf addrconf_dad_work
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5377 [inline]
__schedule+0xf43/0x5890 kernel/sched/core.c:6764
__schedule_loop kernel/sched/core.c:6841 [inline]
schedule+0xe7/0x350 kernel/sched/core.c:6856
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6913
__mutex_lock_common kernel/locking/mutex.c:662 [inline]
__mutex_lock+0x6bd/0xb10 kernel/locking/mutex.c:730
rtnl_net_lock include/linux/rtnetlink.h:129 [inline]
addrconf_dad_work+0x121/0x14e0 net/ipv6/addrconf.c:4190
process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3236
process_scheduled_works kernel/workqueue.c:3317 [inline]
worker_thread+0x6c8/0xf00 kernel/workqueue.c:3398
kthread+0x3af/0x750 kernel/kthread.c:464
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
INFO: task kworker/u8:6:3422 blocked for more than 143 seconds.
Not tainted 6.13.0-syzkaller-08265-g9c5968db9e62 #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:kworker/u8:6 state:D stack:22568 pid:3422 tgid:3422 ppid:2 task_flags:0x4208060 flags:0x00004000
Workqueue: netns cleanup_net
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5377 [inline]
__schedule+0xf43/0x5890 kernel/sched/core.c:6764
__schedule_loop kernel/sched/core.c:6841 [inline]
schedule+0xe7/0x350 kernel/sched/core.c:6856
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6913
__mutex_lock_common kernel/locking/mutex.c:662 [inline]
__mutex_lock+0x6bd/0xb10 kernel/locking/mutex.c:730
rtnl_acquire_if_cleanup_net net/core/dev.c:10272 [inline]
unregister_netdevice_many_notify+0x1a51/0x21a0 net/core/dev.c:11792
unregister_netdevice_many net/core/dev.c:11875 [inline]
unregister_netdevice_queue+0x307/0x3f0 net/core/dev.c:11741
unregister_netdevice include/linux/netdevice.h:3329 [inline]
_cfg80211_unregister_wdev+0x64b/0x830 net/wireless/core.c:1251
ieee80211_remove_interfaces+0x34f/0x720 net/mac80211/iface.c:2305
ieee80211_unregister_hw+0x55/0x3a0 net/mac80211/main.c:1681
mac80211_hwsim_del_radio drivers/net/wireless/virtual/mac80211_hwsim.c:5664 [inline]
hwsim_exit_net+0x3ad/0x7d0 drivers/net/wireless/virtual/mac80211_hwsim.c:6544
ops_exit_list+0xb0/0x180 net/core/net_namespace.c:172
cleanup_net+0x5c6/0xbf0 net/core/net_namespace.c:652
process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3236
process_scheduled_works kernel/workqueue.c:3317 [inline]
worker_thread+0x6c8/0xf00 kernel/workqueue.c:3398
kthread+0x3af/0x750 kernel/kthread.c:464
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
INFO: task kworker/u8:7:3498 blocked for more than 144 seconds.
Not tainted 6.13.0-syzkaller-08265-g9c5968db9e62 #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:kworker/u8:7 state:D stack:24000 pid:3498 tgid:3498 ppid:2 task_flags:0x4208060 flags:0x00004000
Workqueue: events_unbound linkwatch_event
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5377 [inline]
__schedule+0xf43/0x5890 kernel/sched/core.c:6764
__schedule_loop kernel/sched/core.c:6841 [inline]
schedule+0xe7/0x350 kernel/sched/core.c:6856
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6913
__mutex_lock_common kernel/locking/mutex.c:662 [inline]
__mutex_lock+0x6bd/0xb10 kernel/locking/mutex.c:730
linkwatch_event+0x51/0xc0 net/core/link_watch.c:285
process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3236
process_scheduled_works kernel/workqueue.c:3317 [inline]
worker_thread+0x6c8/0xf00 kernel/workqueue.c:3398
kthread+0x3af/0x750 kernel/kthread.c:464
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
INFO: task kworker/0:4:5901 blocked for more than 144 seconds.
Not tainted 6.13.0-syzkaller-08265-g9c5968db9e62 #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:kworker/0:4 state:D stack:27488 pid:5901 tgid:5901 ppid:2 task_flags:0x4208060 flags:0x00004000
Workqueue: events_power_efficient crda_timeout_work
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5377 [inline]
__schedule+0xf43/0x5890 kernel/sched/core.c:6764
__schedule_loop kernel/sched/core.c:6841 [inline]
schedule+0xe7/0x350 kernel/sched/core.c:6856
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6913
__mutex_lock_common kernel/locking/mutex.c:662 [inline]
__mutex_lock+0x6bd/0xb10 kernel/locking/mutex.c:730
crda_timeout_work+0x15/0x50 net/wireless/reg.c:540
process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3236
process_scheduled_works kernel/workqueue.c:3317 [inline]
worker_thread+0x6c8/0xf00 kernel/workqueue.c:3398
kthread+0x3af/0x750 kernel/kthread.c:464
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
INFO: task syz-executor:6463 blocked for more than 144 seconds.
Not tainted 6.13.0-syzkaller-08265-g9c5968db9e62 #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz-executor state:D stack:24288 pid:6463 tgid:6463 ppid:1 task_flags:0x400140 flags:0x00000004
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5377 [inline]
__schedule+0xf43/0x5890 kernel/sched/core.c:6764
__schedule_loop kernel/sched/core.c:6841 [inline]
schedule+0xe7/0x350 kernel/sched/core.c:6856
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6913
__mutex_lock_common kernel/locking/mutex.c:662 [inline]
__mutex_lock+0x6bd/0xb10 kernel/locking/mutex.c:730
rtnl_lock net/core/rtnetlink.c:79 [inline]
rtnl_nets_lock net/core/rtnetlink.c:335 [inline]
rtnl_newlink+0x5d9/0x1d60 net/core/rtnetlink.c:4020
rtnetlink_rcv_msg+0x95b/0xea0 net/core/rtnetlink.c:6911
netlink_rcv_skb+0x16b/0x440 net/netlink/af_netlink.c:2543
netlink_unicast_kernel net/netlink/af_netlink.c:1322 [inline]
netlink_unicast+0x53c/0x7f0 net/netlink/af_netlink.c:1348
netlink_sendmsg+0x8b8/0xd70 net/netlink/af_netlink.c:1892
sock_sendmsg_nosec net/socket.c:713 [inline]
__sock_sendmsg net/socket.c:728 [inline]
__sys_sendto+0x488/0x4f0 net/socket.c:2182
__do_sys_sendto net/socket.c:2189 [inline]
__se_sys_sendto net/socket.c:2185 [inline]
__x64_sys_sendto+0xe0/0x1c0 net/socket.c:2185
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f50e3780553
RSP: 002b:00007fff7321e8d8 EFLAGS: 00000202 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 00007f50e4464620 RCX: 00007f50e3780553
RDX: 0000000000000054 RSI: 00007f50e4464670 RDI: 0000000000000003
RBP: 0000000000000001 R08: 00007fff7321e8f4 R09: 000000000000000c
R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000003
R13: 0000000000000000 R14: 00007f50e4464670 R15: 0000000000000000
</TASK>
INFO: task syz-executor:6521 blocked for more than 145 seconds.
Not tainted 6.13.0-syzkaller-08265-g9c5968db9e62 #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz-executor state:D stack:27608 pid:6521 tgid:6521 ppid:6517 task_flags:0x400140 flags:0x00004000
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5377 [inline]
__schedule+0xf43/0x5890 kernel/sched/core.c:6764
__schedule_loop kernel/sched/core.c:6841 [inline]
schedule+0xe7/0x350 kernel/sched/core.c:6856
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6913
__mutex_lock_common kernel/locking/mutex.c:662 [inline]
__mutex_lock+0x6bd/0xb10 kernel/locking/mutex.c:730
register_nexthop_notifier+0x1b/0x70 net/ipv4/nexthop.c:3878
ops_init+0x1df/0x5f0 net/core/net_namespace.c:138
setup_net+0x21f/0x860 net/core/net_namespace.c:362
copy_net_ns+0x2b4/0x6c0 net/core/net_namespace.c:516
create_new_namespaces+0x3ea/0xad0 kernel/nsproxy.c:110
unshare_nsproxy_namespaces+0xc0/0x1f0 kernel/nsproxy.c:228
ksys_unshare+0x45d/0xa40 kernel/fork.c:3331
__do_sys_unshare kernel/fork.c:3402 [inline]
__se_sys_unshare kernel/fork.c:3400 [inline]
__x64_sys_unshare+0x31/0x40 kernel/fork.c:3400
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7ff68297ff17
RSP: 002b:00007ffec94d6498 EFLAGS: 00000246 ORIG_RAX: 0000000000000110
RAX: ffffffffffffffda RBX: 00007ff682b35f40 RCX: 00007ff68297ff17
RDX: 00007ff68297e719 RSI: 00007ffec94d6460 RDI: 0000000040000000
RBP: 00007ff682b36528 R08: 00007ff682afb9f0 R09: 00007ff682afb9f0
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000006
R13: 0000000000000006 R14: 0000000000000009 R15: 0000000000000000
</TASK>
INFO: lockdep is turned off.
NMI backtrace for cpu 1
CPU: 1 UID: 0 PID: 30 Comm: khungtaskd Not tainted 6.13.0-syzkaller-08265-g9c5968db9e62 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
nmi_cpu_backtrace+0x27b/0x390 lib/nmi_backtrace.c:113
nmi_trigger_cpumask_backtrace+0x29c/0x300 lib/nmi_backtrace.c:62
trigger_all_cpu_backtrace include/linux/nmi.h:162 [inline]
check_hung_uninterruptible_tasks kernel/hung_task.c:236 [inline]
watchdog+0xf62/0x12b0 kernel/hung_task.c:399
kthread+0x3af/0x750 kernel/kthread.c:464
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
Sending NMI from CPU 1 to CPUs 0:
NMI backtrace for cpu 0
CPU: 0 UID: 0 PID: 6447 Comm: syz-executor Not tainted 6.13.0-syzkaller-08265-g9c5968db9e62 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
RIP: 0010:bytes_is_nonzero mm/kasan/generic.c:87 [inline]
RIP: 0010:memory_is_nonzero mm/kasan/generic.c:104 [inline]
RIP: 0010:memory_is_poisoned_n mm/kasan/generic.c:129 [inline]
RIP: 0010:memory_is_poisoned mm/kasan/generic.c:161 [inline]
RIP: 0010:check_region_inline mm/kasan/generic.c:180 [inline]
RIP: 0010:kasan_check_range+0x111/0x1a0 mm/kasan/generic.c:189
Code: 44 89 c2 e8 c1 ec ff ff 83 f0 01 5b 5d 41 5c c3 cc cc cc cc 48 85 d2 74 4f 48 01 ea eb 09 48 83 c0 01 48 39 d0 74 41 80 38 00 <74> f2 eb b2 41 bc 08 00 00 00 45 29 dc 49 8d 14 2c eb 0c 48 83 c0
RSP: 0018:ffffc90003f67a30 EFLAGS: 00000246
RAX: fffff520007ecf5e RBX: fffff520007ecf60 RCX: ffffffff846fc867
RDX: fffff520007ecf60 RSI: 0000000000000014 RDI: ffffc90003f67ae8
RBP: fffff520007ecf5d R08: 0000000000000001 R09: fffff520007ecf5f
R10: ffffc90003f67afb R11: 0000000000000000 R12: ffffc90003f67ae8
R13: 0000000000000092 R14: ffffc90003f67ae8 R15: 0000000000040257
FS: 00005555573ce500(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055bfd2a63600 CR3: 0000000031342000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<NMI>
</NMI>
<TASK>
__asan_memcpy+0x3c/0x60 mm/kasan/shadow.c:106
avc_has_perm_noaudit+0xe7/0x3a0 security/selinux/avc.c:1164
avc_has_perm+0xc1/0x1c0 security/selinux/avc.c:1195
inode_has_perm+0x168/0x1d0 security/selinux/hooks.c:1676
file_has_perm+0x2e8/0x350 security/selinux/hooks.c:1766
selinux_revalidate_file_permission security/selinux/hooks.c:3622 [inline]
selinux_file_permission+0x40d/0x580 security/selinux/hooks.c:3643
security_file_permission+0x1e3/0x210 security/security.c:2844
rw_verify_area+0xb9/0x680 fs/read_write.c:466
vfs_read+0x14c/0xbf0 fs/read_write.c:556
ksys_read+0x207/0x250 fs/read_write.c:708
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fcc37d7d11d
Code: a8 ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb b5 e8 78 48 00 00 0f 1f 84 00 00 00 00 00 80 3d 21 04 19 00 00 74 17 31 c0 0f 05 <48> 3d 00 f0 ff ff 77 5b c3 66 2e 0f 1f 84 00 00 00 00 00 48 83 ec
RSP: 002b:00007fff60bf0cb8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
RAX: ffffffffffffffda RBX: 000055555743cd70 RCX: 00007fcc37d7d11d
RDX: 0000000000000400 RSI: 00005555573e77e0 RDI: 0000000000000021
RBP: 000055555743cd70 R08: 000000000000689e R09: 00005555573e75d8
R10: 0000000000000000 R11: 0000000000000246 R12: 000055555743ce78
R13: 0000000000000001 R14: 00007fff60bf0da0 R15: 000055555743c130
</TASK>
Tested on:
commit: 9c5968db Merge tag 'mm-stable-2025-01-26-14-59' of git..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
console output: https://syzkaller.appspot.com/x/log.txt?x=1049f9f8580000
kernel config: https://syzkaller.appspot.com/x/.config?x=45875e66f29f20
dashboard link: https://syzkaller.appspot.com/bug?extid=6b52c2b24e341804a58c
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
Note: no patches were applied.
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2025-01-27 17:24 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-11-19 18:42 [syzbot] [media?] [usb?] KASAN: slab-use-after-free Read in v4l2_release syzbot
2025-01-26 16:12 ` Nikita Zhandarovich
2025-01-26 16:37 ` syzbot
2025-01-27 11:23 ` Nikita Zhandarovich
2025-01-27 17:24 ` syzbot
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox