lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <4c29e030-4ba8-48e3-96bb-015d43768db0@lucifer.local>
Date: Thu, 17 Jul 2025 17:06:34 +0100
From: Lorenzo Stoakes <lorenzo.stoakes@...cle.com>
To: syzbot <syzbot+ebfd0e44b5c11034e1eb@...kaller.appspotmail.com>
Cc: akpm@...ux-foundation.org, hdanton@...a.com, liam.howlett@...cle.com,
        linux-kernel@...r.kernel.org, linux-mm@...ck.org,
        syzkaller-bugs@...glegroups.com, vbabka@...e.cz
Subject: Re: [syzbot] [mm?] KASAN: slab-use-after-free Read in mas_next_slot
 (2)

OK on second thoughts, there is one additional thing we need to do on each
loop to avoid observing the same VMA, either the prior logic of checking
directly or a vma_next().

So this may be a consequence of that.

I will respin the series to make life easier...

On Thu, Jul 17, 2025 at 05:18:17AM +0100, Lorenzo Stoakes wrote:
> This looks to be unrelated to my patch and some issue with syzbot (it's doing
> weird injection stuff).
>
> As I said, I have tested the change with reproducer locally and it fixes the
> issue, and I have been able to reliably observe that (note, without any of the
> below stuff happening).
>
> Thanks
>
> On Wed, Jul 16, 2025 at 08:55:03PM -0700, syzbot wrote:
> > Hello,
> >
> > syzbot has tested the proposed patch but the reproducer is still triggering an issue:
> > INFO: task hung in exit_mm
> >
> > INFO: task syz.0.16:6665 blocked for more than 143 seconds.
> >       Not tainted 6.16.0-rc6-next-20250716-syzkaller-ge8352908bdcd-dirty #0
> >       Blocked by coredump.
> > "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
> > task:syz.0.16        state:D stack:26920 pid:6665  tgid:6665  ppid:6577   task_flags:0x40044c flags:0x00004004
> > Call Trace:
> >  <TASK>
> >  context_switch kernel/sched/core.c:5314 [inline]
> >  __schedule+0x16fd/0x4cf0 kernel/sched/core.c:6697
> >  __schedule_loop kernel/sched/core.c:6775 [inline]
> >  schedule+0x165/0x360 kernel/sched/core.c:6790
> >  schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6847
> >  rwsem_down_read_slowpath+0x5fd/0x8f0 kernel/locking/rwsem.c:1088
> >  __down_read_common kernel/locking/rwsem.c:1263 [inline]
> >  __down_read kernel/locking/rwsem.c:1276 [inline]
> >  down_read+0x98/0x2e0 kernel/locking/rwsem.c:1541
> >  mmap_read_lock include/linux/mmap_lock.h:423 [inline]
> >  exit_mm+0xcc/0x2c0 kernel/exit.c:557
> >  do_exit+0x648/0x2300 kernel/exit.c:947
> >  do_group_exit+0x21c/0x2d0 kernel/exit.c:1100
> >  get_signal+0x1286/0x1340 kernel/signal.c:3034
> >  arch_do_signal_or_restart+0x9a/0x750 arch/x86/kernel/signal.c:337
> >  exit_to_user_mode_loop+0x75/0x110 kernel/entry/common.c:40
> >  exit_to_user_mode_prepare include/linux/irq-entry-common.h:208 [inline]
> >  syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline]
> >  syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline]
> >  do_syscall_64+0x2bd/0x3b0 arch/x86/entry/syscall_64.c:100
> >  entry_SYSCALL_64_after_hwframe+0x77/0x7f
> > RIP: 0033:0x7f524bb8e963
> > RSP: 002b:00007ffc99164708 EFLAGS: 00000246 ORIG_RAX: 0000000000000009
> > RAX: fffffffffffffffc RBX: 00007f524b5ff6c0 RCX: 00007f524bb8e963
> > RDX: 0000000000000000 RSI: 0000000000021000 RDI: 0000000000000000
> > RBP: 0000000000000000 R08: 00000000ffffffff R09: 0000000000000000
> > R10: 0000000000020022 R11: 0000000000000246 R12: 00007ffc99164860
> > R13: ffffffffffffffc0 R14: 0000000000001000 R15: 0000000000000000
> >  </TASK>
> > INFO: task syz.1.17:6807 blocked for more than 144 seconds.
> >       Not tainted 6.16.0-rc6-next-20250716-syzkaller-ge8352908bdcd-dirty #0
> >       Blocked by coredump.
> > "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
> > task:syz.1.17        state:D stack:26920 pid:6807  tgid:6807  ppid:6787   task_flags:0x40044c flags:0x00004004
> > Call Trace:
> >  <TASK>
> >  context_switch kernel/sched/core.c:5314 [inline]
> >  __schedule+0x16fd/0x4cf0 kernel/sched/core.c:6697
> >  __schedule_loop kernel/sched/core.c:6775 [inline]
> >  schedule+0x165/0x360 kernel/sched/core.c:6790
> >  schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6847
> >  rwsem_down_read_slowpath+0x5fd/0x8f0 kernel/locking/rwsem.c:1088
> >  __down_read_common kernel/locking/rwsem.c:1263 [inline]
> >  __down_read kernel/locking/rwsem.c:1276 [inline]
> >  down_read+0x98/0x2e0 kernel/locking/rwsem.c:1541
> >  mmap_read_lock include/linux/mmap_lock.h:423 [inline]
> >  exit_mm+0xcc/0x2c0 kernel/exit.c:557
> >  do_exit+0x648/0x2300 kernel/exit.c:947
> >  do_group_exit+0x21c/0x2d0 kernel/exit.c:1100
> >  get_signal+0x1286/0x1340 kernel/signal.c:3034
> >  arch_do_signal_or_restart+0x9a/0x750 arch/x86/kernel/signal.c:337
> >  exit_to_user_mode_loop+0x75/0x110 kernel/entry/common.c:40
> >  exit_to_user_mode_prepare include/linux/irq-entry-common.h:208 [inline]
> >  syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline]
> >  syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline]
> >  do_syscall_64+0x2bd/0x3b0 arch/x86/entry/syscall_64.c:100
> >  entry_SYSCALL_64_after_hwframe+0x77/0x7f
> > RIP: 0033:0x7efc6b58e963
> > RSP: 002b:00007ffe5b639e88 EFLAGS: 00000246 ORIG_RAX: 0000000000000009
> > RAX: fffffffffffffffc RBX: 00007efc6afff6c0 RCX: 00007efc6b58e963
> > RDX: 0000000000000000 RSI: 0000000000021000 RDI: 0000000000000000
> > RBP: 0000000000000000 R08: 00000000ffffffff R09: 0000000000000000
> > R10: 0000000000020022 R11: 0000000000000246 R12: 00007ffe5b639fe0
> > R13: ffffffffffffffc0 R14: 0000000000001000 R15: 0000000000000000
> >  </TASK>
> >
> > Showing all locks held in the system:
> > 1 lock held by khungtaskd/31:
> >  #0: ffffffff8e13e2e0 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
> >  #0: ffffffff8e13e2e0 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:841 [inline]
> >  #0: ffffffff8e13e2e0 (rcu_read_lock){....}-{1:3}, at: debug_show_all_locks+0x2e/0x180 kernel/locking/lockdep.c:6770
> > 3 locks held by kworker/0:3/981:
> > 3 locks held by kworker/u8:9/3028:
> >  #0: ffff8880b8739f98 (&rq->__lock){-.-.}-{2:2}, at: raw_spin_rq_lock_nested+0x2a/0x140 kernel/sched/core.c:606
> >  #1: ffff8880b8724008 (per_cpu_ptr(&psi_seq, cpu)){-.-.}-{0:0}, at: psi_task_switch+0x53/0x880 kernel/sched/psi.c:937
> >  #2: ffff8880b8725918 (&base->lock){-.-.}-{2:2}, at: lock_timer_base kernel/time/timer.c:1004 [inline]
> >  #2: ffff8880b8725918 (&base->lock){-.-.}-{2:2}, at: __mod_timer+0x1ae/0xf30 kernel/time/timer.c:1085
> > 2 locks held by getty/5607:
> >  #0: ffff88814df960a0 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_ref_wait+0x25/0x70 drivers/tty/tty_ldisc.c:243
> >  #1: ffffc9000332e2f0 (&ldata->atomic_read_lock){+.+.}-{4:4}, at: n_tty_read+0x43e/0x1400 drivers/tty/n_tty.c:2222
> > 1 lock held by syz.0.16/6665:
> >  #0: ffff8880242d4260 (&mm->mmap_lock){++++}-{4:4}, at: mmap_read_lock include/linux/mmap_lock.h:423 [inline]
> >  #0: ffff8880242d4260 (&mm->mmap_lock){++++}-{4:4}, at: exit_mm+0xcc/0x2c0 kernel/exit.c:557
> > 1 lock held by syz.0.16/6666:
> > 1 lock held by syz.1.17/6807:
> >  #0: ffff88807b8c57e0 (&mm->mmap_lock){++++}-{4:4}, at: mmap_read_lock include/linux/mmap_lock.h:423 [inline]
> >  #0: ffff88807b8c57e0 (&mm->mmap_lock){++++}-{4:4}, at: exit_mm+0xcc/0x2c0 kernel/exit.c:557
> > 1 lock held by syz.1.17/6808:
> > 1 lock held by syz.2.18/6831:
> >  #0: ffff88807e36c260 (&mm->mmap_lock){++++}-{4:4}, at: mmap_read_lock include/linux/mmap_lock.h:423 [inline]
> >  #0: ffff88807e36c260 (&mm->mmap_lock){++++}-{4:4}, at: exit_mm+0xcc/0x2c0 kernel/exit.c:557
> > 1 lock held by syz.2.18/6832:
> > 1 lock held by syz.3.19/6858:
> >  #0: ffff88807b8c2ce0 (&mm->mmap_lock){++++}-{4:4}, at: mmap_read_lock include/linux/mmap_lock.h:423 [inline]
> >  #0: ffff88807b8c2ce0 (&mm->mmap_lock){++++}-{4:4}, at: exit_mm+0xcc/0x2c0 kernel/exit.c:557
> > 3 locks held by syz.3.19/6859:
> > 1 lock held by syz.4.20/6888:
> >  #0: ffff88801a476d60 (&mm->mmap_lock){++++}-{4:4}, at: mmap_read_lock include/linux/mmap_lock.h:423 [inline]
> >  #0: ffff88801a476d60 (&mm->mmap_lock){++++}-{4:4}, at: exit_mm+0xcc/0x2c0 kernel/exit.c:557
> > 1 lock held by syz.4.20/6889:
> > 1 lock held by syz.5.21/6925:
> >  #0: ffff88801a472220 (&mm->mmap_lock){++++}-{4:4}, at: mmap_read_lock include/linux/mmap_lock.h:423 [inline]
> >  #0: ffff88801a472220 (&mm->mmap_lock){++++}-{4:4}, at: exit_mm+0xcc/0x2c0 kernel/exit.c:557
> > 1 lock held by syz.5.21/6926:
> > 1 lock held by syz.6.22/6955:
> >  #0: ffff88807f93b7a0 (&mm->mmap_lock){++++}-{4:4}, at: mmap_read_lock include/linux/mmap_lock.h:423 [inline]
> >  #0: ffff88807f93b7a0 (&mm->mmap_lock){++++}-{4:4}, at: exit_mm+0xcc/0x2c0 kernel/exit.c:557
> > 1 lock held by syz.6.22/6956:
> > 1 lock held by syz.7.24/6990:
> >  #0: ffff88807c9ec260 (&mm->mmap_lock){++++}-{4:4}, at: mmap_read_lock include/linux/mmap_lock.h:423 [inline]
> >  #0: ffff88807c9ec260 (&mm->mmap_lock){++++}-{4:4}, at: exit_mm+0xcc/0x2c0 kernel/exit.c:557
> > 1 lock held by syz.7.24/6992:
> > 2 locks held by dhcpcd/6995:
> >  #0: ffff88805e42b808 (&sb->s_type->i_mutex_key#11){+.+.}-{4:4}, at: inode_lock include/linux/fs.h:869 [inline]
> >  #0: ffff88805e42b808 (&sb->s_type->i_mutex_key#11){+.+.}-{4:4}, at: __sock_release net/socket.c:648 [inline]
> >  #0: ffff88805e42b808 (&sb->s_type->i_mutex_key#11){+.+.}-{4:4}, at: sock_close+0x9b/0x240 net/socket.c:1439
> >  #1: ffffffff8e143e38 (rcu_state.exp_mutex){+.+.}-{4:4}, at: exp_funnel_lock kernel/rcu/tree_exp.h:311 [inline]
> >  #1: ffffffff8e143e38 (rcu_state.exp_mutex){+.+.}-{4:4}, at: synchronize_rcu_expedited+0x2f6/0x730 kernel/rcu/tree_exp.h:967
> > 1 lock held by dhcpcd/6996:
> >  #0: ffff88805e42ca08 (&sb->s_type->i_mutex_key#11){+.+.}-{4:4}, at: inode_lock include/linux/fs.h:869 [inline]
> >  #0: ffff88805e42ca08 (&sb->s_type->i_mutex_key#11){+.+.}-{4:4}, at: __sock_release net/socket.c:648 [inline]
> >  #0: ffff88805e42ca08 (&sb->s_type->i_mutex_key#11){+.+.}-{4:4}, at: sock_close+0x9b/0x240 net/socket.c:1439
> > 1 lock held by dhcpcd/6997:
> >  #0: ffff888078933208 (&sb->s_type->i_mutex_key#11){+.+.}-{4:4}, at: inode_lock include/linux/fs.h:869 [inline]
> >  #0: ffff888078933208 (&sb->s_type->i_mutex_key#11){+.+.}-{4:4}, at: __sock_release net/socket.c:648 [inline]
> >  #0: ffff888078933208 (&sb->s_type->i_mutex_key#11){+.+.}-{4:4}, at: sock_close+0x9b/0x240 net/socket.c:1439
> > 2 locks held by dhcpcd/6998:
> >  #0: ffff888078930208 (&sb->s_type->i_mutex_key#11){+.+.}-{4:4}, at: inode_lock include/linux/fs.h:869 [inline]
> >  #0: ffff888078930208 (&sb->s_type->i_mutex_key#11){+.+.}-{4:4}, at: __sock_release net/socket.c:648 [inline]
> >  #0: ffff888078930208 (&sb->s_type->i_mutex_key#11){+.+.}-{4:4}, at: sock_close+0x9b/0x240 net/socket.c:1439
> >  #1: ffffffff8e143e38 (rcu_state.exp_mutex){+.+.}-{4:4}, at: exp_funnel_lock kernel/rcu/tree_exp.h:343 [inline]
> >  #1: ffffffff8e143e38 (rcu_state.exp_mutex){+.+.}-{4:4}, at: synchronize_rcu_expedited+0x3b9/0x730 kernel/rcu/tree_exp.h:967
> >
> > =============================================
> >
> > NMI backtrace for cpu 0
> > CPU: 0 UID: 0 PID: 31 Comm: khungtaskd Not tainted 6.16.0-rc6-next-20250716-syzkaller-ge8352908bdcd-dirty #0 PREEMPT(full)
> > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
> > Call Trace:
> >  <TASK>
> >  dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
> >  nmi_cpu_backtrace+0x39e/0x3d0 lib/nmi_backtrace.c:113
> >  nmi_trigger_cpumask_backtrace+0x17a/0x300 lib/nmi_backtrace.c:62
> >  trigger_all_cpu_backtrace include/linux/nmi.h:160 [inline]
> >  check_hung_uninterruptible_tasks kernel/hung_task.c:328 [inline]
> >  watchdog+0xfee/0x1030 kernel/hung_task.c:491
> >  kthread+0x70e/0x8a0 kernel/kthread.c:463
> >  ret_from_fork+0x3f9/0x770 arch/x86/kernel/process.c:148
> >  ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
> >  </TASK>
> > Sending NMI from CPU 0 to CPUs 1:
> > NMI backtrace for cpu 1
> > CPU: 1 UID: 0 PID: 12 Comm: kworker/u8:0 Not tainted 6.16.0-rc6-next-20250716-syzkaller-ge8352908bdcd-dirty #0 PREEMPT(full)
> > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
> > Workqueue: events_unbound nsim_dev_trap_report_work
> > RIP: 0010:__this_cpu_preempt_check+0xe/0x20 lib/smp_processor_id.c:64
> > Code: 66 66 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 48 89 fe 48 c7 c7 00 65 e3 8b <e9> bd fe ff ff cc cc cc cc cc cc cc cc cc cc cc cc cc 90 90 90 90
> > RSP: 0018:ffffc90000a08bc8 EFLAGS: 00000002
> > RAX: 0000000000000001 RBX: ffffffff822479bd RCX: da4b2af8b834fd00
> > RDX: ffff888029254d90 RSI: ffffffff8d994444 RDI: ffffffff8be36500
> > RBP: ffffc90000a08ed0 R08: 00000000c506ef33 R09: 00000000624b5ae2
> > R10: 000000000000000e R11: ffffffff81ac3010 R12: 0000000000000000
> > R13: ffffffff81a7e844 R14: ffff88801cecda00 R15: 0000000000000286
> > FS:  0000000000000000(0000) GS:ffff888125ce2000(0000) knlGS:0000000000000000
> > CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > CR2: 000055a7ec2b0660 CR3: 000000005fa88000 CR4: 00000000003526f0
> > Call Trace:
> >  <IRQ>
> >  lockdep_hardirqs_off+0x74/0x110 kernel/locking/lockdep.c:4514
> >  trace_hardirqs_off+0x12/0x40 kernel/trace/trace_preemptirq.c:104
> >  kasan_quarantine_put+0x3d/0x220 mm/kasan/quarantine.c:207
> >  kasan_slab_free include/linux/kasan.h:233 [inline]
> >  slab_free_hook mm/slub.c:2417 [inline]
> >  slab_free_after_rcu_debug+0x129/0x2a0 mm/slub.c:4730
> >  rcu_do_batch kernel/rcu/tree.c:2584 [inline]
> >  rcu_core+0xca5/0x1710 kernel/rcu/tree.c:2840
> >  handle_softirqs+0x286/0x870 kernel/softirq.c:579
> >  do_softirq+0xec/0x180 kernel/softirq.c:480
> >  </IRQ>
> >  <TASK>
> >  __local_bh_enable_ip+0x17d/0x1c0 kernel/softirq.c:407
> >  spin_unlock_bh include/linux/spinlock.h:396 [inline]
> >  nsim_dev_trap_report drivers/net/netdevsim/dev.c:833 [inline]
> >  nsim_dev_trap_report_work+0x7c7/0xb80 drivers/net/netdevsim/dev.c:864
> >  process_one_work kernel/workqueue.c:3239 [inline]
> >  process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3322
> >  worker_thread+0x8a0/0xda0 kernel/workqueue.c:3403
> >  kthread+0x70e/0x8a0 kernel/kthread.c:463
> >  ret_from_fork+0x3f9/0x770 arch/x86/kernel/process.c:148
> >  ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
> >  </TASK>
> >
> >
> > Tested on:
> >
> > commit:         e8352908 Add linux-next specific files for 20250716
> > git tree:       linux-next
> > console output: https://syzkaller.appspot.com/x/log.txt?x=1523c58c580000
> > kernel config:  https://syzkaller.appspot.com/x/.config?x=2594af20939db736
> > dashboard link: https://syzkaller.appspot.com/bug?extid=ebfd0e44b5c11034e1eb
> > compiler:       Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
> > patch:          https://syzkaller.appspot.com/x/patch.diff?x=10776382580000
> >

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ