* syztest
2025-04-23 20:21 [syzbot] [jfs?] UBSAN: array-index-out-of-bounds in dbAllocAG syzbot
@ 2025-04-23 21:47 ` Arnaud Lecomte
0 siblings, 0 replies; 24+ messages in thread
From: Arnaud Lecomte @ 2025-04-23 21:47 UTC (permalink / raw)
To: syzbot+cffd18309153948f3c3e
Cc: jfs-discussion, linux-kernel, shaggy, syzkaller-bugs
#syz test
--- a/fs/jfs/jfs_dmap.c
+++ b/fs/jfs/jfs_dmap.c
@@ -1385,6 +1385,12 @@ dbAllocAG(struct bmap * bmp, int agno, s64 nblocks, int l2nb, s64 * results)
(1 << (L2LPERCTL - (bmp->db_agheight << 1))) / bmp->db_agwidth;
ti = bmp->db_agstart + bmp->db_agwidth * (agno & (agperlev - 1));
+ if (ti >= le32_to_cpu(dcp->nleafs)) {
+ jfs_error(bmp->db_ipbmap->i_sb, "Corrupt dmapctl page: ti out of bounds\n");
+ release_metapage(mp);
+ return -EIO;
+ }
+
/* dmap control page trees fan-out by 4 and a single allocation
* group may be described by 1 or 2 subtrees within the ag level
* dmap control page, depending upon the ag size. examine the ag's
^ permalink raw reply [flat|nested] 24+ messages in thread
* syztest
2025-04-24 2:02 [syzbot] [xfs?] KMSAN: uninit-value in xfs_dialloc_ag_inobt syzbot
@ 2025-04-24 8:59 ` Arnaud Lecomte
2025-04-24 8:59 ` syztest syzbot
0 siblings, 1 reply; 24+ messages in thread
From: Arnaud Lecomte @ 2025-04-24 8:59 UTC (permalink / raw)
To: syzbot+b4a84825ea149bb99bfc; +Cc: cem, linux-kernel, linux-xfs, syzkaller-bugs
#syz test
--- a/fs/xfs/libxfs/xfs_ialloc.c
+++ b/fs/xfs/libxfs/xfs_ialloc.c
@@ -1182,6 +1182,8 @@ xfs_dialloc_ag_inobt(
if (error)
goto error1;
} else {
+ pag->pagl_leftrec = NULLAGINO;
+ pag->pagl_rightrec = NULLAGINO;
/* search left with tcur, back up 1 record */
error = xfs_ialloc_next_rec(tcur, &trec, &doneleft, 1);
if (error)
^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: syztest
2025-04-24 8:59 ` syztest Arnaud Lecomte
@ 2025-04-24 8:59 ` syzbot
0 siblings, 0 replies; 24+ messages in thread
From: syzbot @ 2025-04-24 8:59 UTC (permalink / raw)
To: contact; +Cc: cem, contact, linux-kernel, linux-xfs, syzkaller-bugs
> #syz test
This crash does not have a reproducer. I cannot test it.
>
> --- a/fs/xfs/libxfs/xfs_ialloc.c
> +++ b/fs/xfs/libxfs/xfs_ialloc.c
> @@ -1182,6 +1182,8 @@ xfs_dialloc_ag_inobt(
> if (error)
> goto error1;
> } else {
> + pag->pagl_leftrec = NULLAGINO;
> + pag->pagl_rightrec = NULLAGINO;
> /* search left with tcur, back up 1 record */
> error = xfs_ialloc_next_rec(tcur, &trec, &doneleft, 1);
> if (error)
>
^ permalink raw reply [flat|nested] 24+ messages in thread
* syztest
2025-04-25 0:57 [syzbot] [block?] BUG: unable to handle kernel NULL pointer dereference in guard_bio_eod syzbot
@ 2025-04-27 15:57 ` Arnaud Lecomte
2025-04-27 16:03 ` syztest Arnaud Lecomte
1 sibling, 0 replies; 24+ messages in thread
From: Arnaud Lecomte @ 2025-04-27 15:57 UTC (permalink / raw)
To: syzbot+3291296495fc970e4b1c
Cc: axboe, linux-block, linux-kernel, syzkaller-bugs
#syz test
--- a/block/bio.c
+++ b/block/bio.c
@@ -691,6 +691,9 @@ static void bio_truncate(struct bio *bio, unsigned new_size)
*/
void guard_bio_eod(struct bio *bio)
{
+ if (unlikely(!bio->bi_bdev)
+ return;
+
sector_t maxsector = bdev_nr_sectors(bio->bi_bdev);
if (!maxsector)
--
2.43.0
^ permalink raw reply [flat|nested] 24+ messages in thread
* syztest
2025-04-25 0:57 [syzbot] [block?] BUG: unable to handle kernel NULL pointer dereference in guard_bio_eod syzbot
2025-04-27 15:57 ` syztest Arnaud Lecomte
@ 2025-04-27 16:03 ` Arnaud Lecomte
1 sibling, 0 replies; 24+ messages in thread
From: Arnaud Lecomte @ 2025-04-27 16:03 UTC (permalink / raw)
To: syzbot+3291296495fc970e4b1c
Cc: axboe, linux-block, linux-kernel, syzkaller-bugs
#syz test
--- a/block/bio.c
+++ b/block/bio.c
@@ -691,6 +691,9 @@ static void bio_truncate(struct bio *bio, unsigned new_size)
*/
void guard_bio_eod(struct bio *bio)
{
+ if (unlikely(!bio->bi_bdev))
+ return;
+
sector_t maxsector = bdev_nr_sectors(bio->bi_bdev);
if (!maxsector)
--
2.43.0
^ permalink raw reply [flat|nested] 24+ messages in thread
* syztest
2025-04-10 6:58 [syzbot] [bcachefs?] kernel BUG in __bch2_str_hash_check_key syzbot
@ 2025-04-28 16:09 ` Arnaud Lecomte
2025-04-28 16:26 ` syztest Kent Overstreet
0 siblings, 1 reply; 24+ messages in thread
From: Arnaud Lecomte @ 2025-04-28 16:09 UTC (permalink / raw)
To: syzbot+843981bb836d699c07d1
Cc: kent.overstreet, linux-bcachefs, linux-kernel, syzkaller-bugs
#syz test
--- a/fs/bcachefs/fsck.c
+++ b/fs/bcachefs/fsck.c
@@ -976,7 +976,24 @@ int bch2_fsck_update_backpointers(struct btree_trans *trans,
int ret = 0;
if (d->v.d_type == DT_SUBVOL) {
- BUG();
+ struct bch_subvolume subvol;
+
+ ret = bch2_subvolume_get(trans, le32_to_cpu(d->v.d_child_subvol),
+ false, &subvol);
+ if (ret && !bch2_err_matches(ret, ENOENT))
+ goto err;
+
+ ret = get_visible_inodes(trans, &target, s, le64_to_cpu(subvol.inode));
+ if (ret)
+ goto err;
+
+ if (target.inodes.nr) {
+ target.inodes.data[0].inode.bi_dir_offset = d->k.p.offset;
+ ret = __bch2_fsck_write_inode(trans, &target.inodes.data[0].inode);
+ if (ret)
+ goto err;
+ }
+
} else {
ret = get_visible_inodes(trans, &target, s, le64_to_cpu(d->v.d_inum));
if (ret)
--
2.43.0
^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: syztest
2025-04-28 16:09 ` syztest Arnaud Lecomte
@ 2025-04-28 16:26 ` Kent Overstreet
0 siblings, 0 replies; 24+ messages in thread
From: Kent Overstreet @ 2025-04-28 16:26 UTC (permalink / raw)
To: Arnaud Lecomte
Cc: syzbot+843981bb836d699c07d1, linux-bcachefs, linux-kernel,
syzkaller-bugs
On Mon, Apr 28, 2025 at 06:09:03PM +0200, Arnaud Lecomte wrote:
> #syz test
Don't rely on syzbot for testing, you really need to be running the
tests yourself and looking at all the output.
It's not enough to know that we're not crashing anymore, we want the
filesystem to repair and mount successfully.
> --- a/fs/bcachefs/fsck.c
> +++ b/fs/bcachefs/fsck.c
> @@ -976,7 +976,24 @@ int bch2_fsck_update_backpointers(struct btree_trans *trans,
> int ret = 0;
>
> if (d->v.d_type == DT_SUBVOL) {
> - BUG();
> + struct bch_subvolume subvol;
> +
> + ret = bch2_subvolume_get(trans, le32_to_cpu(d->v.d_child_subvol),
> + false, &subvol);
> + if (ret && !bch2_err_matches(ret, ENOENT))
> + goto err;
> +
> + ret = get_visible_inodes(trans, &target, s, le64_to_cpu(subvol.inode));
> + if (ret)
> + goto err;
> +
> + if (target.inodes.nr) {
> + target.inodes.data[0].inode.bi_dir_offset = d->k.p.offset;
> + ret = __bch2_fsck_write_inode(trans, &target.inodes.data[0].inode);
> + if (ret)
> + goto err;
> + }
> +
> } else {
> ret = get_visible_inodes(trans, &target, s, le64_to_cpu(d->v.d_inum));
> if (ret)
> --
> 2.43.0
^ permalink raw reply [flat|nested] 24+ messages in thread
* syztest
2025-03-31 20:23 [syzbot] [rdma?] [s390?] [net?] KASAN: null-ptr-deref Read in smc_tcp_syn_recv_sock syzbot
@ 2025-06-29 13:29 ` Arnaud Lecomte
2025-06-30 6:51 ` syztest Paolo Abeni
2025-06-29 14:47 ` syztest Arnaud Lecomte
2025-06-29 15:10 ` syztest Arnaud Lecomte
2 siblings, 1 reply; 24+ messages in thread
From: Arnaud Lecomte @ 2025-06-29 13:29 UTC (permalink / raw)
To: syzbot+827ae2bfb3a3529333e9
Cc: agordeev, alibuda, davem, edumazet, guwen, horms, jaka, kuba,
linux-kernel, linux-rdma, linux-s390, netdev, pabeni,
syzkaller-bugs, tonylu, wenjia
#syz test
--- a/net/smc/af_smc.c
+++ b/net/smc/af_smc.c
@@ -123,11 +123,14 @@ static struct sock *smc_tcp_syn_recv_sock(const struct sock *sk,
struct request_sock *req_unhash,
bool *own_req)
{
+ read_lock_bh(&((struct sock *)sk)->sk_callback_lock);
struct smc_sock *smc;
struct sock *child;
-
smc = smc_clcsock_user_data(sk);
+ if (!smc)
+ goto drop;
+
if (READ_ONCE(sk->sk_ack_backlog) + atomic_read(&smc->queued_smc_hs) >
sk->sk_max_ack_backlog)
goto drop;
@@ -148,9 +151,11 @@ static struct sock *smc_tcp_syn_recv_sock(const struct sock *sk,
if (inet_csk(child)->icsk_af_ops == inet_csk(sk)->icsk_af_ops)
inet_csk(child)->icsk_af_ops = smc->ori_af_ops;
}
+ read_unlock_bh(&((struct sock *)sk)->sk_callback_lock);
return child;
drop:
+ read_unlock_bh(&((struct sock *)sk)->sk_callback_lock);
dst_release(dst);
tcp_listendrop(sk);
return NULL;
@@ -2613,7 +2618,7 @@ int smc_listen(struct socket *sock, int backlog)
int rc;
smc = smc_sk(sk);
- lock_sock(sk);
+ lock_sock(sock->sk);
rc = -EINVAL;
if ((sk->sk_state != SMC_INIT && sk->sk_state != SMC_LISTEN) ||
--
2.43.0
^ permalink raw reply [flat|nested] 24+ messages in thread
* syztest
2025-03-31 20:23 [syzbot] [rdma?] [s390?] [net?] KASAN: null-ptr-deref Read in smc_tcp_syn_recv_sock syzbot
2025-06-29 13:29 ` syztest Arnaud Lecomte
@ 2025-06-29 14:47 ` Arnaud Lecomte
2025-06-29 15:10 ` syztest Arnaud Lecomte
2 siblings, 0 replies; 24+ messages in thread
From: Arnaud Lecomte @ 2025-06-29 14:47 UTC (permalink / raw)
To: syzbot+827ae2bfb3a3529333e9
Cc: agordeev, alibuda, davem, edumazet, guwen, horms, jaka, kuba,
linux-kernel, linux-rdma, linux-s390, netdev, pabeni,
syzkaller-bugs, tonylu, wenjia
#syz test
--- a/net/smc/af_smc.c
+++ b/net/smc/af_smc.c
@@ -126,8 +126,12 @@ static struct sock *smc_tcp_syn_recv_sock(const struct sock *sk,
struct smc_sock *smc;
struct sock *child;
+ lockdep_assert_held_read(&sk->sk_callback_lock);
smc = smc_clcsock_user_data(sk);
+ if (!smc)
+ goto drop;
+
if (READ_ONCE(sk->sk_ack_backlog) + atomic_read(&smc->queued_smc_hs) >
sk->sk_max_ack_backlog)
goto drop;
--
2.43.0
^ permalink raw reply [flat|nested] 24+ messages in thread
* syztest
2025-03-31 20:23 [syzbot] [rdma?] [s390?] [net?] KASAN: null-ptr-deref Read in smc_tcp_syn_recv_sock syzbot
2025-06-29 13:29 ` syztest Arnaud Lecomte
2025-06-29 14:47 ` syztest Arnaud Lecomte
@ 2025-06-29 15:10 ` Arnaud Lecomte
2 siblings, 0 replies; 24+ messages in thread
From: Arnaud Lecomte @ 2025-06-29 15:10 UTC (permalink / raw)
To: syzbot+827ae2bfb3a3529333e9
Cc: agordeev, alibuda, davem, edumazet, guwen, horms, jaka, kuba,
linux-kernel, linux-rdma, linux-s390, netdev, pabeni,
syzkaller-bugs, tonylu, wenjia
#syz test
--- a/net/smc/af_smc.c
+++ b/net/smc/af_smc.c
@@ -125,9 +125,12 @@ static struct sock *smc_tcp_syn_recv_sock(const struct sock *sk,
{
struct smc_sock *smc;
struct sock *child;
-
+ read_lock_bh(&((struct sock *)sk)->sk_callback_lock);
smc = smc_clcsock_user_data(sk);
+ if (!smc)
+ goto drop;
+
if (READ_ONCE(sk->sk_ack_backlog) + atomic_read(&smc->queued_smc_hs) >
sk->sk_max_ack_backlog)
goto drop;
@@ -148,9 +151,11 @@ static struct sock *smc_tcp_syn_recv_sock(const struct sock *sk,
if (inet_csk(child)->icsk_af_ops == inet_csk(sk)->icsk_af_ops)
inet_csk(child)->icsk_af_ops = smc->ori_af_ops;
}
+ read_unlock_bh(&((struct sock *)sk)->sk_callback_lock);
return child;
drop:
+ read_unlock_bh(&((struct sock *)sk)->sk_callback_lock);
dst_release(dst);
tcp_listendrop(sk);
return NULL;
--
2.43.0
^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: syztest
2025-06-29 13:29 ` syztest Arnaud Lecomte
@ 2025-06-30 6:51 ` Paolo Abeni
0 siblings, 0 replies; 24+ messages in thread
From: Paolo Abeni @ 2025-06-30 6:51 UTC (permalink / raw)
To: Arnaud Lecomte, syzbot+827ae2bfb3a3529333e9
Cc: agordeev, alibuda, davem, edumazet, guwen, horms, jaka, kuba,
linux-kernel, linux-rdma, linux-s390, netdev, syzkaller-bugs,
tonylu, wenjia
On 6/29/25 3:29 PM, Arnaud Lecomte wrote:
> #syz test
>
> --- a/net/smc/af_smc.c
> +++ b/net/smc/af_smc.c
> @@ -123,11 +123,14 @@ static struct sock *smc_tcp_syn_recv_sock(const struct sock *sk,
> struct request_sock *req_unhash,
> bool *own_req)
> {
> + read_lock_bh(&((struct sock *)sk)->sk_callback_lock);
> struct smc_sock *smc;
> struct sock *child;
> -
> smc = smc_clcsock_user_data(sk);
>
> + if (!smc)
> + goto drop;
> +
> if (READ_ONCE(sk->sk_ack_backlog) + atomic_read(&smc->queued_smc_hs) >
> sk->sk_max_ack_backlog)
> goto drop;
> @@ -148,9 +151,11 @@ static struct sock *smc_tcp_syn_recv_sock(const struct sock *sk,
> if (inet_csk(child)->icsk_af_ops == inet_csk(sk)->icsk_af_ops)
> inet_csk(child)->icsk_af_ops = smc->ori_af_ops;
> }
> + read_unlock_bh(&((struct sock *)sk)->sk_callback_lock);
> return child;
>
> drop:
> + read_unlock_bh(&((struct sock *)sk)->sk_callback_lock);
> dst_release(dst);
> tcp_listendrop(sk);
> return NULL;
> @@ -2613,7 +2618,7 @@ int smc_listen(struct socket *sock, int backlog)
> int rc;
>
> smc = smc_sk(sk);
> - lock_sock(sk);
> + lock_sock(sock->sk);
>
> rc = -EINVAL;
> if ((sk->sk_state != SMC_INIT && sk->sk_state != SMC_LISTEN) ||
Please stop cc-ing netdev and other kernel ML with this tests. You
should keep just the syzkaller related MLs and a very restricted list of
individuals (i.e. no maintainers).
Thanks,
Paolo
^ permalink raw reply [flat|nested] 24+ messages in thread
* syztest
2025-07-03 9:47 [syzbot] [usb?] KASAN: slab-out-of-bounds Read in mon_bin_event syzbot
@ 2025-07-20 19:16 ` Arnaud Lecomte
0 siblings, 0 replies; 24+ messages in thread
From: Arnaud Lecomte @ 2025-07-20 19:16 UTC (permalink / raw)
To: syzbot+86b6d7c8bcc66747c505; +Cc: linux-kernel, syzkaller-bugs
#syz test
--- a/drivers/usb/mon/mon_bin.c
+++ b/drivers/usb/mon/mon_bin.c
@@ -249,7 +249,11 @@ static unsigned int mon_copy_to_buff(const struct mon_reader_bin *this,
* Copy data and advance pointers.
*/
buf = this->b_vec[off / CHUNK_SIZE].ptr + off % CHUNK_SIZE;
- memcpy(buf, from, step_len);
+
+ if (copy_from_kernel_nofault(buf, from, step_len)) {
+ pr_warn("Failed to copy URB transfer buffer content into mon bin.");
+ return -EFAULT;
+ }
if ((off += step_len) >= this->b_size) off = 0;
from += step_len;
length -= step_len;
@@ -413,11 +417,13 @@ static unsigned int mon_bin_get_data(const struct mon_reader_bin *rp,
*flag = 0;
if (urb->num_sgs == 0) {
- if (urb->transfer_buffer == NULL) {
+ if (
+ urb->transfer_buffer == NULL ||
+ mon_copy_to_buff(rp, offset, urb->transfer_buffer, length) < 0
+ ) {
*flag = 'Z';
return length;
}
- mon_copy_to_buff(rp, offset, urb->transfer_buffer, length);
length = 0;
} else {
@@ -434,6 +440,10 @@ static unsigned int mon_bin_get_data(const struct mon_reader_bin *rp,
this_len = min_t(unsigned int, sg->length, length);
offset = mon_copy_to_buff(rp, offset, sg_virt(sg),
this_len);
+ if (offset < 0) {
+ *flag = 'Z';
+ return length;
+ }
length -= this_len;
}
if (i == 0)
^ permalink raw reply [flat|nested] 24+ messages in thread
* syztest
2025-07-21 18:59 [syzbot] [kernel?] KMSAN: kernel-infoleak in do_insn_ioctl syzbot
@ 2025-07-24 20:27 ` Arnaud Lecomte
0 siblings, 0 replies; 24+ messages in thread
From: Arnaud Lecomte @ 2025-07-24 20:27 UTC (permalink / raw)
To: syzbot+a5e45f768aab5892da5d; +Cc: linux-kernel, syzkaller-bugs
#syz test
--- a/drivers/comedi/comedi_fops.c
+++ b/drivers/comedi/comedi_fops.c
@@ -1636,7 +1636,7 @@ static int do_insn_ioctl(struct comedi_device *dev,
n_data = MAX_SAMPLES;
}
- data = kmalloc_array(n_data, sizeof(unsigned int), GFP_KERNEL);
+ data = kcalloc(n_data, sizeof(unsigned int), GFP_KERNEL);
if (!data) {
ret = -ENOMEM;
goto error;
--
^ permalink raw reply [flat|nested] 24+ messages in thread
* syztest
2024-12-06 20:05 [syzbot] [input?] [usb?] KASAN: slab-out-of-bounds Read in mcp2221_raw_event syzbot
@ 2025-07-26 20:41 ` Arnaud Lecomte
0 siblings, 0 replies; 24+ messages in thread
From: Arnaud Lecomte @ 2025-07-26 20:41 UTC (permalink / raw)
To: syzbot+52c1a7d3e5b361ccd346
Cc: linux-input, linux-kernel, linux-usb, syzkaller-bugs
#syz test
--- a/drivers/hid/hid-mcp2221.c
+++ b/drivers/hid/hid-mcp2221.c
@@ -814,6 +814,10 @@ static int mcp2221_raw_event(struct hid_device *hdev,
}
if (data[2] == MCP2221_I2C_READ_COMPL ||
data[2] == MCP2221_I2C_READ_PARTIAL) {
+ if (!mcp->rxbuf || mcp->rxbuf_idx < 0 || data[3] > 60) {
+ mcp->status = -EINVAL;
+ break;
+ }
buf = mcp->rxbuf;
memcpy(&buf[mcp->rxbuf_idx], &data[4], data[3]);
mcp->rxbuf_idx = mcp->rxbuf_idx + data[3];
--
^ permalink raw reply [flat|nested] 24+ messages in thread
* syztest
2024-01-22 9:48 [syzbot] [hfs?] KASAN: out-of-bounds Read in hfsplus_bnode_move syzbot
@ 2025-07-27 18:17 ` Arnaud Lecomte
0 siblings, 0 replies; 24+ messages in thread
From: Arnaud Lecomte @ 2025-07-27 18:17 UTC (permalink / raw)
To: syzbot+6df204b70bf3261691c5; +Cc: linux-fsdevel, linux-kernel, syzkaller-bugs
#syz test
--- a/fs/hfsplus/brec.c
+++ b/fs/hfsplus/brec.c
@@ -124,6 +124,12 @@ int hfs_brec_insert(struct hfs_find_data *fd, void *entry, int entry_len)
data_rec_off += 2;
} while (data_rec_off < idx_rec_off);
+ if (end_off < data_off) {
+ hfs_dbg(BNODE_MOD, "corrupted node: end_off %u < data_off %u\n", end_off, data_off);
+ if (new_node)
+ hfs_bnode_put(new_node);
+ return -EIO;
+ }
/* move data away */
hfs_bnode_move(node, data_off + size, data_off,
end_off - data_off);
--
2.43.0
^ permalink raw reply [flat|nested] 24+ messages in thread
* syztest
2025-07-28 23:37 [syzbot] [bpf?] KASAN: slab-out-of-bounds Write in __bpf_get_stackid syzbot
@ 2025-07-29 7:22 ` Arnaud Lecomte
0 siblings, 0 replies; 24+ messages in thread
From: Arnaud Lecomte @ 2025-07-29 7:22 UTC (permalink / raw)
To: syzbot+c9b724fbb41cf2538b7b; +Cc: bpf, linux-kernel, netdev, syzkaller-bugs
#syz test
--- a/kernel/bpf/stackmap.c
+++ b/kernel/bpf/stackmap.c
@@ -230,7 +230,7 @@ static long __bpf_get_stackid(struct bpf_map *map,
struct bpf_stack_map *smap = container_of(map, struct bpf_stack_map, map);
struct stack_map_bucket *bucket, *new_bucket, *old_bucket;
u32 skip = flags & BPF_F_SKIP_FIELD_MASK;
- u32 hash, id, trace_nr, trace_len, i;
+ u32 hash, id, trace_nr, trace_len, i, max_depth;
bool user = flags & BPF_F_USER_STACK;
u64 *ips;
bool hash_matches;
@@ -241,6 +241,19 @@ static long __bpf_get_stackid(struct bpf_map *map,
trace_nr = trace->nr - skip;
trace_len = trace_nr * sizeof(u64);
+
+ /* Clamp the trace to max allowed depth */
+ if (stack_map_use_build_id(map))
+ max_depth = smap->map.value_size / sizeof(struct bpf_stack_build_id);
+ else
+ max_depth = smap->map.value_size / sizeof(u64);
+
+ if (trace_nr > max_depth)
+ trace_nr = max_depth;
+
+ ips = trace->ip + skip;
+
+
ips = trace->ip + skip;
hash = jhash2((u32 *)ips, trace_len / sizeof(u32), 0);
id = hash & (smap->n_buckets - 1);
--
^ permalink raw reply [flat|nested] 24+ messages in thread
* [syzbot] [fuse?] [block?] KASAN: slab-use-after-free Read in disk_add_events
@ 2025-07-29 21:58 syzbot
2025-07-30 5:51 ` syztest Arnaud Lecomte
2025-07-30 6:14 ` Yu Kuai
0 siblings, 2 replies; 24+ messages in thread
From: syzbot @ 2025-07-29 21:58 UTC (permalink / raw)
To: axboe, linux-block, linux-fsdevel, linux-kernel, miklos,
syzkaller-bugs
Hello,
syzbot found the following issue on:
HEAD commit: ced1b9e0392d Merge tag 'ata-6.17-rc1' of git://git.kernel...
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=133b8cf0580000
kernel config: https://syzkaller.appspot.com/x/.config?x=52c12ce9080f644c
dashboard link: https://syzkaller.appspot.com/bug?extid=fa3a12519f0d3fd4ec16
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=154b31bc580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=171a9782580000
Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/d900f083ada3/non_bootable_disk-ced1b9e0.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/c709b0d9538c/vmlinux-ced1b9e0.xz
kernel image: https://storage.googleapis.com/syzbot-assets/129af0799fa3/bzImage-ced1b9e0.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+fa3a12519f0d3fd4ec16@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: slab-use-after-free in __list_add_valid_or_report+0x151/0x190 lib/list_debug.c:32
Read of size 8 at addr ffff888036fa1400 by task syz.2.1231/9834
CPU: 3 UID: 0 PID: 9834 Comm: syz.2.1231 Not tainted 6.16.0-syzkaller-00857-gced1b9e0392d #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xcd/0x630 mm/kasan/report.c:482
kasan_report+0xe0/0x110 mm/kasan/report.c:595
__list_add_valid_or_report+0x151/0x190 lib/list_debug.c:32
__list_add_valid include/linux/list.h:88 [inline]
__list_add include/linux/list.h:150 [inline]
list_add_tail include/linux/list.h:183 [inline]
disk_add_events+0x90/0x170 block/disk-events.c:463
add_disk_final block/genhd.c:427 [inline]
add_disk_fwnode+0x3c8/0x5d0 block/genhd.c:610
add_disk include/linux/blkdev.h:773 [inline]
md_alloc+0x3c2/0x1080 drivers/md/md.c:5981
md_alloc_and_put drivers/md/md.c:6016 [inline]
md_probe drivers/md/md.c:6029 [inline]
md_probe+0x6e/0xd0 drivers/md/md.c:6024
blk_probe_dev+0x116/0x1a0 block/genhd.c:884
blk_request_module+0x16/0xb0 block/genhd.c:897
blkdev_get_no_open+0x9b/0x100 block/bdev.c:825
blkdev_open+0x141/0x3f0 block/fops.c:684
do_dentry_open+0x744/0x1c10 fs/open.c:965
vfs_open+0x82/0x3f0 fs/open.c:1095
do_open fs/namei.c:3887 [inline]
path_openat+0x1de4/0x2cb0 fs/namei.c:4046
do_filp_open+0x20b/0x470 fs/namei.c:4073
do_sys_openat2+0x11b/0x1d0 fs/open.c:1435
do_sys_open fs/open.c:1450 [inline]
__do_sys_openat fs/open.c:1466 [inline]
__se_sys_openat fs/open.c:1461 [inline]
__x64_sys_openat+0x174/0x210 fs/open.c:1461
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f4ea558e9a9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f4ea645e038 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 00007f4ea57b6080 RCX: 00007f4ea558e9a9
RDX: 0000000000000000 RSI: 0000200000000a80 RDI: ffffffffffffff9c
RBP: 00007f4ea5610d69 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f4ea57b6080 R15: 00007fff25d53038
</TASK>
Allocated by task 9822:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
kasan_save_track+0x14/0x30 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
__kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394
kmalloc_noprof include/linux/slab.h:905 [inline]
kzalloc_noprof include/linux/slab.h:1039 [inline]
disk_alloc_events+0xf0/0x3f0 block/disk-events.c:439
__add_disk+0x475/0xf00 block/genhd.c:500
add_disk_fwnode+0x3f8/0x5d0 block/genhd.c:601
add_disk include/linux/blkdev.h:773 [inline]
md_alloc+0x3c2/0x1080 drivers/md/md.c:5981
md_alloc_and_put drivers/md/md.c:6016 [inline]
md_probe drivers/md/md.c:6029 [inline]
md_probe+0x6e/0xd0 drivers/md/md.c:6024
blk_probe_dev+0x116/0x1a0 block/genhd.c:884
blk_request_module+0x16/0xb0 block/genhd.c:897
blkdev_get_no_open+0x9b/0x100 block/bdev.c:825
blkdev_open+0x141/0x3f0 block/fops.c:684
do_dentry_open+0x744/0x1c10 fs/open.c:965
vfs_open+0x82/0x3f0 fs/open.c:1095
do_open fs/namei.c:3887 [inline]
path_openat+0x1de4/0x2cb0 fs/namei.c:4046
do_filp_open+0x20b/0x470 fs/namei.c:4073
do_sys_openat2+0x11b/0x1d0 fs/open.c:1435
do_sys_open fs/open.c:1450 [inline]
__do_sys_openat fs/open.c:1466 [inline]
__se_sys_openat fs/open.c:1461 [inline]
__x64_sys_openat+0x174/0x210 fs/open.c:1461
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Freed by task 9817:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
kasan_save_track+0x14/0x30 mm/kasan/common.c:68
kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:576
poison_slab_object mm/kasan/common.c:247 [inline]
__kasan_slab_free+0x51/0x70 mm/kasan/common.c:264
kasan_slab_free include/linux/kasan.h:233 [inline]
slab_free_hook mm/slub.c:2381 [inline]
slab_free mm/slub.c:4643 [inline]
kfree+0x2b4/0x4d0 mm/slub.c:4842
disk_release+0x161/0x410 block/genhd.c:1301
device_release+0xa1/0x240 drivers/base/core.c:2568
kobject_cleanup lib/kobject.c:689 [inline]
kobject_release lib/kobject.c:720 [inline]
kref_put include/linux/kref.h:65 [inline]
kobject_put+0x1e7/0x5a0 lib/kobject.c:737
put_device+0x1f/0x30 drivers/base/core.c:3800
blkdev_release+0x15/0x20 block/fops.c:699
__fput+0x402/0xb70 fs/file_table.c:468
task_work_run+0x14d/0x240 kernel/task_work.c:227
resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
exit_to_user_mode_loop+0xeb/0x110 kernel/entry/common.c:114
exit_to_user_mode_prepare include/linux/entry-common.h:330 [inline]
syscall_exit_to_user_mode_work include/linux/entry-common.h:414 [inline]
syscall_exit_to_user_mode include/linux/entry-common.h:449 [inline]
do_syscall_64+0x3f6/0x4c0 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The buggy address belongs to the object at ffff888036fa1400
which belongs to the cache kmalloc-512 of size 512
The buggy address is located 0 bytes inside of
freed 512-byte region [ffff888036fa1400, ffff888036fa1600)
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x36fa0
head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff88801b842c80 dead000000000100 dead000000000122
raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
head: 00fff00000000040 ffff88801b842c80 dead000000000100 dead000000000122
head: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
head: 00fff00000000002 ffffea0000dbe801 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 2, tgid 2 (kthreadd), ts 71482349709, free_ts 68765218476
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x1c0/0x230 mm/page_alloc.c:1704
prep_new_page mm/page_alloc.c:1712 [inline]
get_page_from_freelist+0x1321/0x3890 mm/page_alloc.c:3669
__alloc_frozen_pages_noprof+0x261/0x23f0 mm/page_alloc.c:4959
alloc_pages_mpol+0x1fb/0x550 mm/mempolicy.c:2419
alloc_slab_page mm/slub.c:2451 [inline]
allocate_slab mm/slub.c:2619 [inline]
new_slab+0x23b/0x330 mm/slub.c:2673
___slab_alloc+0xd9c/0x1940 mm/slub.c:3859
__slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3949
__slab_alloc_node mm/slub.c:4024 [inline]
slab_alloc_node mm/slub.c:4185 [inline]
__kmalloc_cache_noprof+0xfb/0x3e0 mm/slub.c:4354
kmalloc_noprof include/linux/slab.h:905 [inline]
kzalloc_noprof include/linux/slab.h:1039 [inline]
set_kthread_struct+0xcb/0x380 kernel/kthread.c:126
copy_process+0x3107/0x7650 kernel/fork.c:2097
kernel_clone+0xfc/0x960 kernel/fork.c:2599
kernel_thread+0xd4/0x120 kernel/fork.c:2661
create_kthread kernel/kthread.c:487 [inline]
kthreadd+0x503/0x800 kernel/kthread.c:847
ret_from_fork+0x5d4/0x6f0 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
page last free pid 6016 tgid 6016 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1248 [inline]
__free_frozen_pages+0x7fe/0x1180 mm/page_alloc.c:2706
vfree+0x1fd/0xb50 mm/vmalloc.c:3434
kcov_put kernel/kcov.c:439 [inline]
kcov_put kernel/kcov.c:435 [inline]
kcov_close+0x34/0x60 kernel/kcov.c:535
__fput+0x402/0xb70 fs/file_table.c:468
task_work_run+0x14d/0x240 kernel/task_work.c:227
exit_task_work include/linux/task_work.h:40 [inline]
do_exit+0x86c/0x2bd0 kernel/exit.c:964
do_group_exit+0xd3/0x2a0 kernel/exit.c:1105
get_signal+0x2673/0x26d0 kernel/signal.c:3034
arch_do_signal_or_restart+0x8f/0x7d0 arch/x86/kernel/signal.c:337
exit_to_user_mode_loop+0x84/0x110 kernel/entry/common.c:111
exit_to_user_mode_prepare include/linux/entry-common.h:330 [inline]
syscall_exit_to_user_mode_work include/linux/entry-common.h:414 [inline]
syscall_exit_to_user_mode include/linux/entry-common.h:449 [inline]
do_syscall_64+0x3f6/0x4c0 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Memory state around the buggy address:
ffff888036fa1300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff888036fa1380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff888036fa1400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888036fa1480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888036fa1500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
^ permalink raw reply [flat|nested] 24+ messages in thread
* syztest
2025-07-29 21:58 [syzbot] [fuse?] [block?] KASAN: slab-use-after-free Read in disk_add_events syzbot
@ 2025-07-30 5:51 ` Arnaud Lecomte
2025-07-30 6:09 ` syztest Yu Kuai
2025-07-30 8:37 ` [syzbot] [fuse?] [block?] KASAN: slab-use-after-free Read in disk_add_events syzbot
2025-07-30 6:14 ` Yu Kuai
1 sibling, 2 replies; 24+ messages in thread
From: Arnaud Lecomte @ 2025-07-30 5:51 UTC (permalink / raw)
To: syzbot+fa3a12519f0d3fd4ec16
Cc: linux-block, linux-fsdevel, linux-kernel, syzkaller-bugs
#syz test
--- a/drivers/md/md.c
+++ b/drivers/md/md.c
@@ -5978,10 +5978,6 @@ struct mddev *md_alloc(dev_t dev, char *name)
disk->events |= DISK_EVENT_MEDIA_CHANGE;
mddev->gendisk = disk;
- error = add_disk(disk);
- if (error)
- goto out_put_disk;
-
kobject_init(&mddev->kobj, &md_ktype);
error = kobject_add(&mddev->kobj, &disk_to_dev(disk)->kobj, "%s", "md");
if (error) {
@@ -5999,6 +5995,9 @@ struct mddev *md_alloc(dev_t dev, char *name)
kobject_uevent(&mddev->kobj, KOBJ_ADD);
mddev->sysfs_state = sysfs_get_dirent_safe(mddev->kobj.sd, "array_state");
mddev->sysfs_level = sysfs_get_dirent_safe(mddev->kobj.sd, "level");
+ error = add_disk(disk);
+ if (error)
+ goto out_put_disk;
mutex_unlock(&disks_mutex);
return mddev;
--
2.43.0
^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: syztest
2025-07-30 5:51 ` syztest Arnaud Lecomte
@ 2025-07-30 6:09 ` Yu Kuai
2025-07-30 7:10 ` syztest Arnaud Lecomte
2025-07-30 8:37 ` [syzbot] [fuse?] [block?] KASAN: slab-use-after-free Read in disk_add_events syzbot
1 sibling, 1 reply; 24+ messages in thread
From: Yu Kuai @ 2025-07-30 6:09 UTC (permalink / raw)
To: Arnaud Lecomte, syzbot+fa3a12519f0d3fd4ec16
Cc: linux-block, linux-fsdevel, linux-kernel, syzkaller-bugs,
yukuai (C)
Hi,
在 2025/07/30 13:51, Arnaud Lecomte 写道:
> #syz test
>
> --- a/drivers/md/md.c
> +++ b/drivers/md/md.c
> @@ -5978,10 +5978,6 @@ struct mddev *md_alloc(dev_t dev, char *name)
>
> disk->events |= DISK_EVENT_MEDIA_CHANGE;
> mddev->gendisk = disk;
> - error = add_disk(disk);
> - if (error)
> - goto out_put_disk;
> -
> kobject_init(&mddev->kobj, &md_ktype);
> error = kobject_add(&mddev->kobj, &disk_to_dev(disk)->kobj, "%s", "md");
This is wrong, you can't add mddev >kobj under the disk without
kobject_add for the disk kobj.
Thanks,
Kuai
> if (error) {
> @@ -5999,6 +5995,9 @@ struct mddev *md_alloc(dev_t dev, char *name)
> kobject_uevent(&mddev->kobj, KOBJ_ADD);
> mddev->sysfs_state = sysfs_get_dirent_safe(mddev->kobj.sd, "array_state");
> mddev->sysfs_level = sysfs_get_dirent_safe(mddev->kobj.sd, "level");
> + error = add_disk(disk);
> + if (error)
> + goto out_put_disk;
> mutex_unlock(&disks_mutex);
> return mddev;
>
>
^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [syzbot] [fuse?] [block?] KASAN: slab-use-after-free Read in disk_add_events
2025-07-29 21:58 [syzbot] [fuse?] [block?] KASAN: slab-use-after-free Read in disk_add_events syzbot
2025-07-30 5:51 ` syztest Arnaud Lecomte
@ 2025-07-30 6:14 ` Yu Kuai
2025-07-30 6:16 ` Yu Kuai
1 sibling, 1 reply; 24+ messages in thread
From: Yu Kuai @ 2025-07-30 6:14 UTC (permalink / raw)
To: syzbot, axboe, linux-block, linux-fsdevel, linux-kernel, miklos,
syzkaller-bugs, yukuai (C)
+CC Xiao
在 2025/07/30 5:58, syzbot 写道:
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: ced1b9e0392d Merge tag 'ata-6.17-rc1' of git://git.kernel...
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=133b8cf0580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=52c12ce9080f644c
> dashboard link: https://syzkaller.appspot.com/bug?extid=fa3a12519f0d3fd4ec16
> compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=154b31bc580000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=171a9782580000
>
This looks like the same cause with another report:
https://lore.kernel.org/all/68894408.a00a0220.26d0e1.0012.GAE@google.com/
The mddev kobject liftime is broken, now in the case del_work is queued,
means mddev is about to be freed, meanwhile md_open can succeed.
Thanks,
Kuai
> Downloadable assets:
> disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/d900f083ada3/non_bootable_disk-ced1b9e0.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/c709b0d9538c/vmlinux-ced1b9e0.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/129af0799fa3/bzImage-ced1b9e0.xz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+fa3a12519f0d3fd4ec16@syzkaller.appspotmail.com
>
> ==================================================================
> BUG: KASAN: slab-use-after-free in __list_add_valid_or_report+0x151/0x190 lib/list_debug.c:32
> Read of size 8 at addr ffff888036fa1400 by task syz.2.1231/9834
>
> CPU: 3 UID: 0 PID: 9834 Comm: syz.2.1231 Not tainted 6.16.0-syzkaller-00857-gced1b9e0392d #0 PREEMPT(full)
> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
> Call Trace:
> <TASK>
> __dump_stack lib/dump_stack.c:94 [inline]
> dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
> print_address_description mm/kasan/report.c:378 [inline]
> print_report+0xcd/0x630 mm/kasan/report.c:482
> kasan_report+0xe0/0x110 mm/kasan/report.c:595
> __list_add_valid_or_report+0x151/0x190 lib/list_debug.c:32
> __list_add_valid include/linux/list.h:88 [inline]
> __list_add include/linux/list.h:150 [inline]
> list_add_tail include/linux/list.h:183 [inline]
> disk_add_events+0x90/0x170 block/disk-events.c:463
> add_disk_final block/genhd.c:427 [inline]
> add_disk_fwnode+0x3c8/0x5d0 block/genhd.c:610
> add_disk include/linux/blkdev.h:773 [inline]
> md_alloc+0x3c2/0x1080 drivers/md/md.c:5981
> md_alloc_and_put drivers/md/md.c:6016 [inline]
> md_probe drivers/md/md.c:6029 [inline]
> md_probe+0x6e/0xd0 drivers/md/md.c:6024
> blk_probe_dev+0x116/0x1a0 block/genhd.c:884
> blk_request_module+0x16/0xb0 block/genhd.c:897
> blkdev_get_no_open+0x9b/0x100 block/bdev.c:825
> blkdev_open+0x141/0x3f0 block/fops.c:684
> do_dentry_open+0x744/0x1c10 fs/open.c:965
> vfs_open+0x82/0x3f0 fs/open.c:1095
> do_open fs/namei.c:3887 [inline]
> path_openat+0x1de4/0x2cb0 fs/namei.c:4046
> do_filp_open+0x20b/0x470 fs/namei.c:4073
> do_sys_openat2+0x11b/0x1d0 fs/open.c:1435
> do_sys_open fs/open.c:1450 [inline]
> __do_sys_openat fs/open.c:1466 [inline]
> __se_sys_openat fs/open.c:1461 [inline]
> __x64_sys_openat+0x174/0x210 fs/open.c:1461
> do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
> do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94
> entry_SYSCALL_64_after_hwframe+0x77/0x7f
> RIP: 0033:0x7f4ea558e9a9
> Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
> RSP: 002b:00007f4ea645e038 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
> RAX: ffffffffffffffda RBX: 00007f4ea57b6080 RCX: 00007f4ea558e9a9
> RDX: 0000000000000000 RSI: 0000200000000a80 RDI: ffffffffffffff9c
> RBP: 00007f4ea5610d69 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000000
> R13: 0000000000000000 R14: 00007f4ea57b6080 R15: 00007fff25d53038
> </TASK>
>
> Allocated by task 9822:
> kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
> kasan_save_track+0x14/0x30 mm/kasan/common.c:68
> poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
> __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394
> kmalloc_noprof include/linux/slab.h:905 [inline]
> kzalloc_noprof include/linux/slab.h:1039 [inline]
> disk_alloc_events+0xf0/0x3f0 block/disk-events.c:439
> __add_disk+0x475/0xf00 block/genhd.c:500
> add_disk_fwnode+0x3f8/0x5d0 block/genhd.c:601
> add_disk include/linux/blkdev.h:773 [inline]
> md_alloc+0x3c2/0x1080 drivers/md/md.c:5981
> md_alloc_and_put drivers/md/md.c:6016 [inline]
> md_probe drivers/md/md.c:6029 [inline]
> md_probe+0x6e/0xd0 drivers/md/md.c:6024
> blk_probe_dev+0x116/0x1a0 block/genhd.c:884
> blk_request_module+0x16/0xb0 block/genhd.c:897
> blkdev_get_no_open+0x9b/0x100 block/bdev.c:825
> blkdev_open+0x141/0x3f0 block/fops.c:684
> do_dentry_open+0x744/0x1c10 fs/open.c:965
> vfs_open+0x82/0x3f0 fs/open.c:1095
> do_open fs/namei.c:3887 [inline]
> path_openat+0x1de4/0x2cb0 fs/namei.c:4046
> do_filp_open+0x20b/0x470 fs/namei.c:4073
> do_sys_openat2+0x11b/0x1d0 fs/open.c:1435
> do_sys_open fs/open.c:1450 [inline]
> __do_sys_openat fs/open.c:1466 [inline]
> __se_sys_openat fs/open.c:1461 [inline]
> __x64_sys_openat+0x174/0x210 fs/open.c:1461
> do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
> do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94
> entry_SYSCALL_64_after_hwframe+0x77/0x7f
>
> Freed by task 9817:
> kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
> kasan_save_track+0x14/0x30 mm/kasan/common.c:68
> kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:576
> poison_slab_object mm/kasan/common.c:247 [inline]
> __kasan_slab_free+0x51/0x70 mm/kasan/common.c:264
> kasan_slab_free include/linux/kasan.h:233 [inline]
> slab_free_hook mm/slub.c:2381 [inline]
> slab_free mm/slub.c:4643 [inline]
> kfree+0x2b4/0x4d0 mm/slub.c:4842
> disk_release+0x161/0x410 block/genhd.c:1301
> device_release+0xa1/0x240 drivers/base/core.c:2568
> kobject_cleanup lib/kobject.c:689 [inline]
> kobject_release lib/kobject.c:720 [inline]
> kref_put include/linux/kref.h:65 [inline]
> kobject_put+0x1e7/0x5a0 lib/kobject.c:737
> put_device+0x1f/0x30 drivers/base/core.c:3800
> blkdev_release+0x15/0x20 block/fops.c:699
> __fput+0x402/0xb70 fs/file_table.c:468
> task_work_run+0x14d/0x240 kernel/task_work.c:227
> resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
> exit_to_user_mode_loop+0xeb/0x110 kernel/entry/common.c:114
> exit_to_user_mode_prepare include/linux/entry-common.h:330 [inline]
> syscall_exit_to_user_mode_work include/linux/entry-common.h:414 [inline]
> syscall_exit_to_user_mode include/linux/entry-common.h:449 [inline]
> do_syscall_64+0x3f6/0x4c0 arch/x86/entry/syscall_64.c:100
> entry_SYSCALL_64_after_hwframe+0x77/0x7f
>
> The buggy address belongs to the object at ffff888036fa1400
> which belongs to the cache kmalloc-512 of size 512
> The buggy address is located 0 bytes inside of
> freed 512-byte region [ffff888036fa1400, ffff888036fa1600)
>
> The buggy address belongs to the physical page:
> page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x36fa0
> head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
> flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
> page_type: f5(slab)
> raw: 00fff00000000040 ffff88801b842c80 dead000000000100 dead000000000122
> raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
> head: 00fff00000000040 ffff88801b842c80 dead000000000100 dead000000000122
> head: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
> head: 00fff00000000002 ffffea0000dbe801 00000000ffffffff 00000000ffffffff
> head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004
> page dumped because: kasan: bad access detected
> page_owner tracks the page as allocated
> page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 2, tgid 2 (kthreadd), ts 71482349709, free_ts 68765218476
> set_page_owner include/linux/page_owner.h:32 [inline]
> post_alloc_hook+0x1c0/0x230 mm/page_alloc.c:1704
> prep_new_page mm/page_alloc.c:1712 [inline]
> get_page_from_freelist+0x1321/0x3890 mm/page_alloc.c:3669
> __alloc_frozen_pages_noprof+0x261/0x23f0 mm/page_alloc.c:4959
> alloc_pages_mpol+0x1fb/0x550 mm/mempolicy.c:2419
> alloc_slab_page mm/slub.c:2451 [inline]
> allocate_slab mm/slub.c:2619 [inline]
> new_slab+0x23b/0x330 mm/slub.c:2673
> ___slab_alloc+0xd9c/0x1940 mm/slub.c:3859
> __slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3949
> __slab_alloc_node mm/slub.c:4024 [inline]
> slab_alloc_node mm/slub.c:4185 [inline]
> __kmalloc_cache_noprof+0xfb/0x3e0 mm/slub.c:4354
> kmalloc_noprof include/linux/slab.h:905 [inline]
> kzalloc_noprof include/linux/slab.h:1039 [inline]
> set_kthread_struct+0xcb/0x380 kernel/kthread.c:126
> copy_process+0x3107/0x7650 kernel/fork.c:2097
> kernel_clone+0xfc/0x960 kernel/fork.c:2599
> kernel_thread+0xd4/0x120 kernel/fork.c:2661
> create_kthread kernel/kthread.c:487 [inline]
> kthreadd+0x503/0x800 kernel/kthread.c:847
> ret_from_fork+0x5d4/0x6f0 arch/x86/kernel/process.c:148
> ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
> page last free pid 6016 tgid 6016 stack trace:
> reset_page_owner include/linux/page_owner.h:25 [inline]
> free_pages_prepare mm/page_alloc.c:1248 [inline]
> __free_frozen_pages+0x7fe/0x1180 mm/page_alloc.c:2706
> vfree+0x1fd/0xb50 mm/vmalloc.c:3434
> kcov_put kernel/kcov.c:439 [inline]
> kcov_put kernel/kcov.c:435 [inline]
> kcov_close+0x34/0x60 kernel/kcov.c:535
> __fput+0x402/0xb70 fs/file_table.c:468
> task_work_run+0x14d/0x240 kernel/task_work.c:227
> exit_task_work include/linux/task_work.h:40 [inline]
> do_exit+0x86c/0x2bd0 kernel/exit.c:964
> do_group_exit+0xd3/0x2a0 kernel/exit.c:1105
> get_signal+0x2673/0x26d0 kernel/signal.c:3034
> arch_do_signal_or_restart+0x8f/0x7d0 arch/x86/kernel/signal.c:337
> exit_to_user_mode_loop+0x84/0x110 kernel/entry/common.c:111
> exit_to_user_mode_prepare include/linux/entry-common.h:330 [inline]
> syscall_exit_to_user_mode_work include/linux/entry-common.h:414 [inline]
> syscall_exit_to_user_mode include/linux/entry-common.h:449 [inline]
> do_syscall_64+0x3f6/0x4c0 arch/x86/entry/syscall_64.c:100
> entry_SYSCALL_64_after_hwframe+0x77/0x7f
>
> Memory state around the buggy address:
> ffff888036fa1300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> ffff888036fa1380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>> ffff888036fa1400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ^
> ffff888036fa1480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff888036fa1500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ==================================================================
>
>
> ---
> This report is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@googlegroups.com.
>
> syzbot will keep track of this issue. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
>
> If the report is already addressed, let syzbot know by replying with:
> #syz fix: exact-commit-title
>
> If you want syzbot to run the reproducer, reply with:
> #syz test: git://repo/address.git branch-or-commit-hash
> If you attach or paste a git patch, syzbot will apply it before testing.
>
> If you want to overwrite report's subsystems, reply with:
> #syz set subsystems: new-subsystem
> (See the list of subsystem names on the web dashboard)
>
> If the report is a duplicate of another one, reply with:
> #syz dup: exact-subject-of-another-report
>
> If you want to undo deduplication, reply with:
> #syz undup
>
>
> .
>
^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [syzbot] [fuse?] [block?] KASAN: slab-use-after-free Read in disk_add_events
2025-07-30 6:14 ` Yu Kuai
@ 2025-07-30 6:16 ` Yu Kuai
0 siblings, 0 replies; 24+ messages in thread
From: Yu Kuai @ 2025-07-30 6:16 UTC (permalink / raw)
To: Yu Kuai, syzbot, axboe, linux-block, linux-fsdevel, linux-kernel,
miklos, syzkaller-bugs, Xiao Ni
在 2025/07/30 14:14, Yu Kuai 写道:
> +CC Xiao
Forgot to CC in the last emial, sorry for the noisy.
Thanks,
Kuai
>
> 在 2025/07/30 5:58, syzbot 写道:
>> Hello,
>>
>> syzbot found the following issue on:
>>
>> HEAD commit: ced1b9e0392d Merge tag 'ata-6.17-rc1' of
>> git://git.kernel...
>> git tree: upstream
>> console output: https://syzkaller.appspot.com/x/log.txt?x=133b8cf0580000
>> kernel config:
>> https://syzkaller.appspot.com/x/.config?x=52c12ce9080f644c
>> dashboard link:
>> https://syzkaller.appspot.com/bug?extid=fa3a12519f0d3fd4ec16
>> compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils
>> for Debian) 2.40
>> syz repro:
>> https://syzkaller.appspot.com/x/repro.syz?x=154b31bc580000
>> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=171a9782580000
>>
>
> This looks like the same cause with another report:
>
> https://lore.kernel.org/all/68894408.a00a0220.26d0e1.0012.GAE@google.com/
>
> The mddev kobject liftime is broken, now in the case del_work is queued,
> means mddev is about to be freed, meanwhile md_open can succeed.
>
> Thanks,
> Kuai
>
>> Downloadable assets:
>> disk image (non-bootable):
>> https://storage.googleapis.com/syzbot-assets/d900f083ada3/non_bootable_disk-ced1b9e0.raw.xz
>>
>> vmlinux:
>> https://storage.googleapis.com/syzbot-assets/c709b0d9538c/vmlinux-ced1b9e0.xz
>>
>> kernel image:
>> https://storage.googleapis.com/syzbot-assets/129af0799fa3/bzImage-ced1b9e0.xz
>>
>>
>> IMPORTANT: if you fix the issue, please add the following tag to the
>> commit:
>> Reported-by: syzbot+fa3a12519f0d3fd4ec16@syzkaller.appspotmail.com
>>
>> ==================================================================
>> BUG: KASAN: slab-use-after-free in
>> __list_add_valid_or_report+0x151/0x190 lib/list_debug.c:32
>> Read of size 8 at addr ffff888036fa1400 by task syz.2.1231/9834
>>
>> CPU: 3 UID: 0 PID: 9834 Comm: syz.2.1231 Not tainted
>> 6.16.0-syzkaller-00857-gced1b9e0392d #0 PREEMPT(full)
>> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS
>> 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
>> Call Trace:
>> <TASK>
>> __dump_stack lib/dump_stack.c:94 [inline]
>> dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
>> print_address_description mm/kasan/report.c:378 [inline]
>> print_report+0xcd/0x630 mm/kasan/report.c:482
>> kasan_report+0xe0/0x110 mm/kasan/report.c:595
>> __list_add_valid_or_report+0x151/0x190 lib/list_debug.c:32
>> __list_add_valid include/linux/list.h:88 [inline]
>> __list_add include/linux/list.h:150 [inline]
>> list_add_tail include/linux/list.h:183 [inline]
>> disk_add_events+0x90/0x170 block/disk-events.c:463
>> add_disk_final block/genhd.c:427 [inline]
>> add_disk_fwnode+0x3c8/0x5d0 block/genhd.c:610
>> add_disk include/linux/blkdev.h:773 [inline]
>> md_alloc+0x3c2/0x1080 drivers/md/md.c:5981
>> md_alloc_and_put drivers/md/md.c:6016 [inline]
>> md_probe drivers/md/md.c:6029 [inline]
>> md_probe+0x6e/0xd0 drivers/md/md.c:6024
>> blk_probe_dev+0x116/0x1a0 block/genhd.c:884
>> blk_request_module+0x16/0xb0 block/genhd.c:897
>> blkdev_get_no_open+0x9b/0x100 block/bdev.c:825
>> blkdev_open+0x141/0x3f0 block/fops.c:684
>> do_dentry_open+0x744/0x1c10 fs/open.c:965
>> vfs_open+0x82/0x3f0 fs/open.c:1095
>> do_open fs/namei.c:3887 [inline]
>> path_openat+0x1de4/0x2cb0 fs/namei.c:4046
>> do_filp_open+0x20b/0x470 fs/namei.c:4073
>> do_sys_openat2+0x11b/0x1d0 fs/open.c:1435
>> do_sys_open fs/open.c:1450 [inline]
>> __do_sys_openat fs/open.c:1466 [inline]
>> __se_sys_openat fs/open.c:1461 [inline]
>> __x64_sys_openat+0x174/0x210 fs/open.c:1461
>> do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
>> do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94
>> entry_SYSCALL_64_after_hwframe+0x77/0x7f
>> RIP: 0033:0x7f4ea558e9a9
>> Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48
>> 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
>> 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
>> RSP: 002b:00007f4ea645e038 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
>> RAX: ffffffffffffffda RBX: 00007f4ea57b6080 RCX: 00007f4ea558e9a9
>> RDX: 0000000000000000 RSI: 0000200000000a80 RDI: ffffffffffffff9c
>> RBP: 00007f4ea5610d69 R08: 0000000000000000 R09: 0000000000000000
>> R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000000
>> R13: 0000000000000000 R14: 00007f4ea57b6080 R15: 00007fff25d53038
>> </TASK>
>>
>> Allocated by task 9822:
>> kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
>> kasan_save_track+0x14/0x30 mm/kasan/common.c:68
>> poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
>> __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394
>> kmalloc_noprof include/linux/slab.h:905 [inline]
>> kzalloc_noprof include/linux/slab.h:1039 [inline]
>> disk_alloc_events+0xf0/0x3f0 block/disk-events.c:439
>> __add_disk+0x475/0xf00 block/genhd.c:500
>> add_disk_fwnode+0x3f8/0x5d0 block/genhd.c:601
>> add_disk include/linux/blkdev.h:773 [inline]
>> md_alloc+0x3c2/0x1080 drivers/md/md.c:5981
>> md_alloc_and_put drivers/md/md.c:6016 [inline]
>> md_probe drivers/md/md.c:6029 [inline]
>> md_probe+0x6e/0xd0 drivers/md/md.c:6024
>> blk_probe_dev+0x116/0x1a0 block/genhd.c:884
>> blk_request_module+0x16/0xb0 block/genhd.c:897
>> blkdev_get_no_open+0x9b/0x100 block/bdev.c:825
>> blkdev_open+0x141/0x3f0 block/fops.c:684
>> do_dentry_open+0x744/0x1c10 fs/open.c:965
>> vfs_open+0x82/0x3f0 fs/open.c:1095
>> do_open fs/namei.c:3887 [inline]
>> path_openat+0x1de4/0x2cb0 fs/namei.c:4046
>> do_filp_open+0x20b/0x470 fs/namei.c:4073
>> do_sys_openat2+0x11b/0x1d0 fs/open.c:1435
>> do_sys_open fs/open.c:1450 [inline]
>> __do_sys_openat fs/open.c:1466 [inline]
>> __se_sys_openat fs/open.c:1461 [inline]
>> __x64_sys_openat+0x174/0x210 fs/open.c:1461
>> do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
>> do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94
>> entry_SYSCALL_64_after_hwframe+0x77/0x7f
>>
>> Freed by task 9817:
>> kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
>> kasan_save_track+0x14/0x30 mm/kasan/common.c:68
>> kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:576
>> poison_slab_object mm/kasan/common.c:247 [inline]
>> __kasan_slab_free+0x51/0x70 mm/kasan/common.c:264
>> kasan_slab_free include/linux/kasan.h:233 [inline]
>> slab_free_hook mm/slub.c:2381 [inline]
>> slab_free mm/slub.c:4643 [inline]
>> kfree+0x2b4/0x4d0 mm/slub.c:4842
>> disk_release+0x161/0x410 block/genhd.c:1301
>> device_release+0xa1/0x240 drivers/base/core.c:2568
>> kobject_cleanup lib/kobject.c:689 [inline]
>> kobject_release lib/kobject.c:720 [inline]
>> kref_put include/linux/kref.h:65 [inline]
>> kobject_put+0x1e7/0x5a0 lib/kobject.c:737
>> put_device+0x1f/0x30 drivers/base/core.c:3800
>> blkdev_release+0x15/0x20 block/fops.c:699
>> __fput+0x402/0xb70 fs/file_table.c:468
>> task_work_run+0x14d/0x240 kernel/task_work.c:227
>> resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
>> exit_to_user_mode_loop+0xeb/0x110 kernel/entry/common.c:114
>> exit_to_user_mode_prepare include/linux/entry-common.h:330 [inline]
>> syscall_exit_to_user_mode_work include/linux/entry-common.h:414
>> [inline]
>> syscall_exit_to_user_mode include/linux/entry-common.h:449 [inline]
>> do_syscall_64+0x3f6/0x4c0 arch/x86/entry/syscall_64.c:100
>> entry_SYSCALL_64_after_hwframe+0x77/0x7f
>>
>> The buggy address belongs to the object at ffff888036fa1400
>> which belongs to the cache kmalloc-512 of size 512
>> The buggy address is located 0 bytes inside of
>> freed 512-byte region [ffff888036fa1400, ffff888036fa1600)
>>
>> The buggy address belongs to the physical page:
>> page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0
>> pfn:0x36fa0
>> head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
>> flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
>> page_type: f5(slab)
>> raw: 00fff00000000040 ffff88801b842c80 dead000000000100 dead000000000122
>> raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
>> head: 00fff00000000040 ffff88801b842c80 dead000000000100 dead000000000122
>> head: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
>> head: 00fff00000000002 ffffea0000dbe801 00000000ffffffff 00000000ffffffff
>> head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004
>> page dumped because: kasan: bad access detected
>> page_owner tracks the page as allocated
>> page last allocated via order 2, migratetype Unmovable, gfp_mask
>> 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC),
>> pid 2, tgid 2 (kthreadd), ts 71482349709, free_ts 68765218476
>> set_page_owner include/linux/page_owner.h:32 [inline]
>> post_alloc_hook+0x1c0/0x230 mm/page_alloc.c:1704
>> prep_new_page mm/page_alloc.c:1712 [inline]
>> get_page_from_freelist+0x1321/0x3890 mm/page_alloc.c:3669
>> __alloc_frozen_pages_noprof+0x261/0x23f0 mm/page_alloc.c:4959
>> alloc_pages_mpol+0x1fb/0x550 mm/mempolicy.c:2419
>> alloc_slab_page mm/slub.c:2451 [inline]
>> allocate_slab mm/slub.c:2619 [inline]
>> new_slab+0x23b/0x330 mm/slub.c:2673
>> ___slab_alloc+0xd9c/0x1940 mm/slub.c:3859
>> __slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3949
>> __slab_alloc_node mm/slub.c:4024 [inline]
>> slab_alloc_node mm/slub.c:4185 [inline]
>> __kmalloc_cache_noprof+0xfb/0x3e0 mm/slub.c:4354
>> kmalloc_noprof include/linux/slab.h:905 [inline]
>> kzalloc_noprof include/linux/slab.h:1039 [inline]
>> set_kthread_struct+0xcb/0x380 kernel/kthread.c:126
>> copy_process+0x3107/0x7650 kernel/fork.c:2097
>> kernel_clone+0xfc/0x960 kernel/fork.c:2599
>> kernel_thread+0xd4/0x120 kernel/fork.c:2661
>> create_kthread kernel/kthread.c:487 [inline]
>> kthreadd+0x503/0x800 kernel/kthread.c:847
>> ret_from_fork+0x5d4/0x6f0 arch/x86/kernel/process.c:148
>> ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
>> page last free pid 6016 tgid 6016 stack trace:
>> reset_page_owner include/linux/page_owner.h:25 [inline]
>> free_pages_prepare mm/page_alloc.c:1248 [inline]
>> __free_frozen_pages+0x7fe/0x1180 mm/page_alloc.c:2706
>> vfree+0x1fd/0xb50 mm/vmalloc.c:3434
>> kcov_put kernel/kcov.c:439 [inline]
>> kcov_put kernel/kcov.c:435 [inline]
>> kcov_close+0x34/0x60 kernel/kcov.c:535
>> __fput+0x402/0xb70 fs/file_table.c:468
>> task_work_run+0x14d/0x240 kernel/task_work.c:227
>> exit_task_work include/linux/task_work.h:40 [inline]
>> do_exit+0x86c/0x2bd0 kernel/exit.c:964
>> do_group_exit+0xd3/0x2a0 kernel/exit.c:1105
>> get_signal+0x2673/0x26d0 kernel/signal.c:3034
>> arch_do_signal_or_restart+0x8f/0x7d0 arch/x86/kernel/signal.c:337
>> exit_to_user_mode_loop+0x84/0x110 kernel/entry/common.c:111
>> exit_to_user_mode_prepare include/linux/entry-common.h:330 [inline]
>> syscall_exit_to_user_mode_work include/linux/entry-common.h:414
>> [inline]
>> syscall_exit_to_user_mode include/linux/entry-common.h:449 [inline]
>> do_syscall_64+0x3f6/0x4c0 arch/x86/entry/syscall_64.c:100
>> entry_SYSCALL_64_after_hwframe+0x77/0x7f
>>
>> Memory state around the buggy address:
>> ffff888036fa1300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>> ffff888036fa1380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>>> ffff888036fa1400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>> ^
>> ffff888036fa1480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>> ffff888036fa1500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>> ==================================================================
>>
>>
>> ---
>> This report is generated by a bot. It may contain errors.
>> See https://goo.gl/tpsmEJ for more information about syzbot.
>> syzbot engineers can be reached at syzkaller@googlegroups.com.
>>
>> syzbot will keep track of this issue. See:
>> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
>>
>> If the report is already addressed, let syzbot know by replying with:
>> #syz fix: exact-commit-title
>>
>> If you want syzbot to run the reproducer, reply with:
>> #syz test: git://repo/address.git branch-or-commit-hash
>> If you attach or paste a git patch, syzbot will apply it before testing.
>>
>> If you want to overwrite report's subsystems, reply with:
>> #syz set subsystems: new-subsystem
>> (See the list of subsystem names on the web dashboard)
>>
>> If the report is a duplicate of another one, reply with:
>> #syz dup: exact-subject-of-another-report
>>
>> If you want to undo deduplication, reply with:
>> #syz undup
>>
>>
>> .
>>
>
> .
>
^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: syztest
2025-07-30 6:09 ` syztest Yu Kuai
@ 2025-07-30 7:10 ` Arnaud Lecomte
0 siblings, 0 replies; 24+ messages in thread
From: Arnaud Lecomte @ 2025-07-30 7:10 UTC (permalink / raw)
To: Yu Kuai, syzbot+fa3a12519f0d3fd4ec16
Cc: linux-block, linux-fsdevel, linux-kernel, syzkaller-bugs,
yukuai (C)
On 30/07/2025 07:09, Yu Kuai wrote:
> Hi,
>
> 在 2025/07/30 13:51, Arnaud Lecomte 写道:
>> #syz test
>>
>> --- a/drivers/md/md.c
>> +++ b/drivers/md/md.c
>> @@ -5978,10 +5978,6 @@ struct mddev *md_alloc(dev_t dev, char *name)
>> disk->events |= DISK_EVENT_MEDIA_CHANGE;
>> mddev->gendisk = disk;
>> - error = add_disk(disk);
>> - if (error)
>> - goto out_put_disk;
>> -
>> kobject_init(&mddev->kobj, &md_ktype);
>> error = kobject_add(&mddev->kobj, &disk_to_dev(disk)->kobj,
>> "%s", "md");
>
> This is wrong, you can't add mddev >kobj under the disk without
> kobject_add for the disk kobj.
>
Will dive a bit more into that after work,
Thanks
> Thanks,
> Kuai
>
>> if (error) {
>> @@ -5999,6 +5995,9 @@ struct mddev *md_alloc(dev_t dev, char *name)
>> kobject_uevent(&mddev->kobj, KOBJ_ADD);
>> mddev->sysfs_state = sysfs_get_dirent_safe(mddev->kobj.sd,
>> "array_state");
>> mddev->sysfs_level = sysfs_get_dirent_safe(mddev->kobj.sd,
>> "level");
>> + error = add_disk(disk);
>> + if (error)
>> + goto out_put_disk;
>> mutex_unlock(&disks_mutex);
>> return mddev;
>>
>
^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [syzbot] [fuse?] [block?] KASAN: slab-use-after-free Read in disk_add_events
2025-07-30 5:51 ` syztest Arnaud Lecomte
2025-07-30 6:09 ` syztest Yu Kuai
@ 2025-07-30 8:37 ` syzbot
1 sibling, 0 replies; 24+ messages in thread
From: syzbot @ 2025-07-30 8:37 UTC (permalink / raw)
To: contact, linux-block, linux-fsdevel, linux-kernel, syzkaller-bugs
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+fa3a12519f0d3fd4ec16@syzkaller.appspotmail.com
Tested-by: syzbot+fa3a12519f0d3fd4ec16@syzkaller.appspotmail.com
Tested on:
commit: 4b290aae Merge tag 'sysctl-6.17-rc1' of git://git.kern..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=10908834580000
kernel config: https://syzkaller.appspot.com/x/.config?x=295b41325f4e1bab
dashboard link: https://syzkaller.appspot.com/bug?extid=fa3a12519f0d3fd4ec16
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=15ac34a2580000
Note: testing is done by a robot and is best-effort only.
^ permalink raw reply [flat|nested] 24+ messages in thread
* syztest
2023-06-17 5:30 [syzbot] [hfs?] kernel BUG in hfsplus_bnode_put syzbot
@ 2025-08-29 6:30 ` Chenzhi Yang
0 siblings, 0 replies; 24+ messages in thread
From: Chenzhi Yang @ 2025-08-29 6:30 UTC (permalink / raw)
To: syzbot+005d2a9ecd9fbf525f6a; +Cc: linux-fsdevel, linux-kernel, Yang Chenzhi
From: Yang Chenzhi <yang.chenzhi@vivo.com>
#syz test
--- a/fs/hfsplus/bnode.c
+++ b/fs/hfsplus/bnode.c
@@ -522,6 +522,7 @@ static struct hfs_bnode *__hfs_bnode_create(struct hfs_btree *tree, u32 cnid)
tree->node_hash[hash] = node;
tree->node_hash_cnt++;
} else {
+ hfs_bnode_get(node2);
spin_unlock(&tree->hash_lock);
kfree(node);
wait_event(node2->lock_wq,
--
2.43.0
^ permalink raw reply [flat|nested] 24+ messages in thread
end of thread, other threads:[~2025-08-29 6:31 UTC | newest]
Thread overview: 24+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-07-29 21:58 [syzbot] [fuse?] [block?] KASAN: slab-use-after-free Read in disk_add_events syzbot
2025-07-30 5:51 ` syztest Arnaud Lecomte
2025-07-30 6:09 ` syztest Yu Kuai
2025-07-30 7:10 ` syztest Arnaud Lecomte
2025-07-30 8:37 ` [syzbot] [fuse?] [block?] KASAN: slab-use-after-free Read in disk_add_events syzbot
2025-07-30 6:14 ` Yu Kuai
2025-07-30 6:16 ` Yu Kuai
-- strict thread matches above, loose matches on Subject: below --
2025-07-28 23:37 [syzbot] [bpf?] KASAN: slab-out-of-bounds Write in __bpf_get_stackid syzbot
2025-07-29 7:22 ` syztest Arnaud Lecomte
2025-07-21 18:59 [syzbot] [kernel?] KMSAN: kernel-infoleak in do_insn_ioctl syzbot
2025-07-24 20:27 ` syztest Arnaud Lecomte
2025-07-03 9:47 [syzbot] [usb?] KASAN: slab-out-of-bounds Read in mon_bin_event syzbot
2025-07-20 19:16 ` syztest Arnaud Lecomte
2025-04-25 0:57 [syzbot] [block?] BUG: unable to handle kernel NULL pointer dereference in guard_bio_eod syzbot
2025-04-27 15:57 ` syztest Arnaud Lecomte
2025-04-27 16:03 ` syztest Arnaud Lecomte
2025-04-24 2:02 [syzbot] [xfs?] KMSAN: uninit-value in xfs_dialloc_ag_inobt syzbot
2025-04-24 8:59 ` syztest Arnaud Lecomte
2025-04-24 8:59 ` syztest syzbot
2025-04-23 20:21 [syzbot] [jfs?] UBSAN: array-index-out-of-bounds in dbAllocAG syzbot
2025-04-23 21:47 ` syztest Arnaud Lecomte
2025-04-10 6:58 [syzbot] [bcachefs?] kernel BUG in __bch2_str_hash_check_key syzbot
2025-04-28 16:09 ` syztest Arnaud Lecomte
2025-04-28 16:26 ` syztest Kent Overstreet
2025-03-31 20:23 [syzbot] [rdma?] [s390?] [net?] KASAN: null-ptr-deref Read in smc_tcp_syn_recv_sock syzbot
2025-06-29 13:29 ` syztest Arnaud Lecomte
2025-06-30 6:51 ` syztest Paolo Abeni
2025-06-29 14:47 ` syztest Arnaud Lecomte
2025-06-29 15:10 ` syztest Arnaud Lecomte
2024-12-06 20:05 [syzbot] [input?] [usb?] KASAN: slab-out-of-bounds Read in mcp2221_raw_event syzbot
2025-07-26 20:41 ` syztest Arnaud Lecomte
2024-01-22 9:48 [syzbot] [hfs?] KASAN: out-of-bounds Read in hfsplus_bnode_move syzbot
2025-07-27 18:17 ` syztest Arnaud Lecomte
2023-06-17 5:30 [syzbot] [hfs?] kernel BUG in hfsplus_bnode_put syzbot
2025-08-29 6:30 ` syztest Chenzhi Yang
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).