| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <686db3ea.050a0220.1ffab7.0028.GAE@google.com>
Date: Tue, 08 Jul 2025 17:12:26 -0700
From: syzbot <syzbot+a6ffe86390c8a6afc818@...kaller.appspotmail.com>
To: jgg@...pe.ca, leon@...nel.org, linux-kernel@...r.kernel.org,
linux-rdma@...r.kernel.org, syzkaller-bugs@...glegroups.com
Subject: [syzbot] [rdma?] KASAN: slab-use-after-free Read in ucma_create_uevent
Hello,
syzbot found the following issue on:
HEAD commit: d006330be3f7 Merge tag 'sound-6.16-rc6' of git://git.kerne..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=13e4bf70580000
kernel config: https://syzkaller.appspot.com/x/.config?x=8fa6c6703a4b2315
dashboard link: https://syzkaller.appspot.com/bug?extid=a6ffe86390c8a6afc818
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17e4bf70580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14f6ca8c580000
Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/d900f083ada3/non_bootable_disk-d006330b.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/d47418563f9c/vmlinux-d006330b.xz
kernel image: https://storage.googleapis.com/syzbot-assets/677ac864031c/bzImage-d006330b.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+a6ffe86390c8a6afc818@...kaller.appspotmail.com
==================================================================
BUG: KASAN: slab-use-after-free in ucma_create_uevent+0xadb/0xb30 drivers/infiniband/core/ucma.c:275
Read of size 8 at addr ffff888029155410 by task kworker/u32:9/1147
CPU: 3 UID: 0 PID: 1147 Comm: kworker/u32:9 Not tainted 6.16.0-rc5-syzkaller-00025-gd006330be3f7 #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Workqueue: rdma_cm cma_iboe_join_work_handler
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:408 [inline]
print_report+0xcd/0x680 mm/kasan/report.c:521
kasan_report+0xe0/0x110 mm/kasan/report.c:634
ucma_create_uevent+0xadb/0xb30 drivers/infiniband/core/ucma.c:275
ucma_event_handler+0x102/0x940 drivers/infiniband/core/ucma.c:351
cma_cm_event_handler+0x97/0x300 drivers/infiniband/core/cma.c:2173
cma_iboe_join_work_handler+0xca/0x170 drivers/infiniband/core/cma.c:3008
process_one_work+0x9cf/0x1b70 kernel/workqueue.c:3238
process_scheduled_works kernel/workqueue.c:3321 [inline]
worker_thread+0x6c8/0xf10 kernel/workqueue.c:3402
kthread+0x3c5/0x780 kernel/kthread.c:464
ret_from_fork+0x5d7/0x6f0 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
Allocated by task 6107:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
kasan_save_track+0x14/0x30 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
__kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394
kmalloc_noprof include/linux/slab.h:905 [inline]
kzalloc_noprof include/linux/slab.h:1039 [inline]
ucma_process_join+0x237/0xa30 drivers/infiniband/core/ucma.c:1465
ucma_join_multicast+0xe8/0x160 drivers/infiniband/core/ucma.c:1557
ucma_write+0x1fb/0x330 drivers/infiniband/core/ucma.c:1738
vfs_write+0x2a0/0x1150 fs/read_write.c:684
ksys_write+0x1f8/0x250 fs/read_write.c:738
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Freed by task 6107:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
kasan_save_track+0x14/0x30 mm/kasan/common.c:68
kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:576
poison_slab_object mm/kasan/common.c:247 [inline]
__kasan_slab_free+0x51/0x70 mm/kasan/common.c:264
kasan_slab_free include/linux/kasan.h:233 [inline]
slab_free_hook mm/slub.c:2381 [inline]
slab_free mm/slub.c:4643 [inline]
kfree+0x2b4/0x4d0 mm/slub.c:4842
ucma_process_join+0x3b9/0xa30 drivers/infiniband/core/ucma.c:1516
ucma_join_multicast+0xe8/0x160 drivers/infiniband/core/ucma.c:1557
ucma_write+0x1fb/0x330 drivers/infiniband/core/ucma.c:1738
vfs_write+0x2a0/0x1150 fs/read_write.c:684
ksys_write+0x1f8/0x250 fs/read_write.c:738
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The buggy address belongs to the object at ffff888029155400
which belongs to the cache kmalloc-192 of size 192
The buggy address is located 16 bytes inside of
freed 192-byte region [ffff888029155400, ffff8880291554c0)
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x29155
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000000 ffff88801b8423c0 ffffea0000a60c80 dead000000000002
raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 1, tgid 1 (swapper/0), ts 12897812541, free_ts 0
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x1c0/0x230 mm/page_alloc.c:1704
prep_new_page mm/page_alloc.c:1712 [inline]
get_page_from_freelist+0x1321/0x3890 mm/page_alloc.c:3669
__alloc_frozen_pages_noprof+0x261/0x23f0 mm/page_alloc.c:4959
alloc_pages_mpol+0x1fb/0x550 mm/mempolicy.c:2419
alloc_slab_page mm/slub.c:2451 [inline]
allocate_slab mm/slub.c:2619 [inline]
new_slab+0x23b/0x330 mm/slub.c:2673
___slab_alloc+0xd9c/0x1940 mm/slub.c:3859
__slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3949
__slab_alloc_node mm/slub.c:4024 [inline]
slab_alloc_node mm/slub.c:4185 [inline]
__kmalloc_cache_noprof+0xfb/0x3e0 mm/slub.c:4354
kmalloc_noprof include/linux/slab.h:905 [inline]
kzalloc_noprof include/linux/slab.h:1039 [inline]
call_usermodehelper_setup+0xaf/0x360 kernel/umh.c:362
kobject_uevent_env+0x1690/0x1870 lib/kobject_uevent.c:628
driver_bound+0x164/0x230 drivers/base/dd.c:421
really_probe+0x62b/0xa90 drivers/base/dd.c:707
__driver_probe_device+0x1de/0x440 drivers/base/dd.c:799
driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:829
__device_attach_driver+0x1df/0x310 drivers/base/dd.c:957
bus_for_each_drv+0x156/0x1e0 drivers/base/bus.c:462
page_owner free stack trace missing
Memory state around the buggy address:
ffff888029155300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888029155380: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
>ffff888029155400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888029155480: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
ffff888029155500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@...glegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Powered by blists - more mailing lists