lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <9385a1a6-8c10-4eb5-9ab9-87aaeb6a7766@kernel.dk>
Date: Sun, 20 Jul 2025 12:24:41 -0600
From: Jens Axboe <axboe@...nel.dk>
To: syzbot <syzbot+01523a0ae5600aef5895@...kaller.appspotmail.com>,
 io-uring@...r.kernel.org, linux-kernel@...r.kernel.org,
 syzkaller-bugs@...glegroups.com, abbotti@....co.uk,
 hsweeten@...ionengravers.com, Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Subject: Re: [syzbot] [io-uring?] KASAN: slab-use-after-free Read in
 io_poll_remove_entries

On 7/19/25 11:29 AM, syzbot wrote:
> Hello,
> 
> syzbot found the following issue on:
> 
> HEAD commit:    4871b7cb27f4 Merge tag 'v6.16-rc6-smb3-client-fixes' of gi..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=1288c38c580000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=fa738a4418f051ee
> dashboard link: https://syzkaller.appspot.com/bug?extid=01523a0ae5600aef5895
> compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1688c38c580000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=166ed7d4580000
> 
> Downloadable assets:
> disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/d900f083ada3/non_bootable_disk-4871b7cb.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/4a9dea51d821/vmlinux-4871b7cb.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/f96c723cdfe6/bzImage-4871b7cb.xz
> 
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+01523a0ae5600aef5895@...kaller.appspotmail.com
> 
> ==================================================================
> BUG: KASAN: slab-use-after-free in __raw_spin_lock_irq include/linux/spinlock_api_smp.h:119 [inline]
> BUG: KASAN: slab-use-after-free in _raw_spin_lock_irq+0x36/0x50 kernel/locking/spinlock.c:170
> Read of size 1 at addr ffff88803c6f42b0 by task kworker/2:2/1339
> 
> CPU: 2 UID: 0 PID: 1339 Comm: kworker/2:2 Not tainted 6.16.0-rc6-syzkaller-00253-g4871b7cb27f4 #0 PREEMPT(full) 
> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
> Workqueue: events io_fallback_req_func
> Call Trace:
>  <TASK>
>  __dump_stack lib/dump_stack.c:94 [inline]
>  dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
>  print_address_description mm/kasan/report.c:378 [inline]
>  print_report+0xcd/0x610 mm/kasan/report.c:480
>  kasan_report+0xe0/0x110 mm/kasan/report.c:593
>  __kasan_check_byte+0x36/0x50 mm/kasan/common.c:557
>  kasan_check_byte include/linux/kasan.h:399 [inline]
>  lock_acquire kernel/locking/lockdep.c:5845 [inline]
>  lock_acquire+0xfc/0x350 kernel/locking/lockdep.c:5828
>  __raw_spin_lock_irq include/linux/spinlock_api_smp.h:119 [inline]
>  _raw_spin_lock_irq+0x36/0x50 kernel/locking/spinlock.c:170
>  spin_lock_irq include/linux/spinlock.h:376 [inline]
>  io_poll_remove_entry io_uring/poll.c:146 [inline]
>  io_poll_remove_entries.part.0+0x14e/0x7e0 io_uring/poll.c:179
>  io_poll_remove_entries io_uring/poll.c:159 [inline]
>  io_poll_task_func+0x4cd/0x1130 io_uring/poll.c:326
>  io_fallback_req_func+0x1c7/0x6d0 io_uring/io_uring.c:259
>  process_one_work+0x9cf/0x1b70 kernel/workqueue.c:3238
>  process_scheduled_works kernel/workqueue.c:3321 [inline]
>  worker_thread+0x6c8/0xf10 kernel/workqueue.c:3402
>  kthread+0x3c5/0x780 kernel/kthread.c:464
>  ret_from_fork+0x5d4/0x6f0 arch/x86/kernel/process.c:148
>  ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
>  </TASK>
> 
> Allocated by task 6154:
>  kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
>  kasan_save_track+0x14/0x30 mm/kasan/common.c:68
>  poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
>  __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394
>  kmalloc_noprof include/linux/slab.h:905 [inline]
>  kzalloc_noprof include/linux/slab.h:1039 [inline]
>  __comedi_device_postconfig_async drivers/comedi/drivers.c:664 [inline]
>  __comedi_device_postconfig drivers/comedi/drivers.c:721 [inline]
>  comedi_device_postconfig+0x2cb/0xc80 drivers/comedi/drivers.c:756
>  comedi_device_attach+0x3cf/0x900 drivers/comedi/drivers.c:998
>  do_devconfig_ioctl+0x1a7/0x580 drivers/comedi/comedi_fops.c:855
>  comedi_unlocked_ioctl+0x15bb/0x2e90 drivers/comedi/comedi_fops.c:2136
>  vfs_ioctl fs/ioctl.c:51 [inline]
>  __do_sys_ioctl fs/ioctl.c:907 [inline]
>  __se_sys_ioctl fs/ioctl.c:893 [inline]
>  __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:893
>  do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
>  do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94
>  entry_SYSCALL_64_after_hwframe+0x77/0x7f
> 
> Freed by task 6156:
>  kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
>  kasan_save_track+0x14/0x30 mm/kasan/common.c:68
>  kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:576
>  poison_slab_object mm/kasan/common.c:247 [inline]
>  __kasan_slab_free+0x51/0x70 mm/kasan/common.c:264
>  kasan_slab_free include/linux/kasan.h:233 [inline]
>  slab_free_hook mm/slub.c:2381 [inline]
>  slab_free mm/slub.c:4643 [inline]
>  kfree+0x2b4/0x4d0 mm/slub.c:4842
>  comedi_device_detach_cleanup drivers/comedi/drivers.c:171 [inline]
>  comedi_device_detach+0x2a4/0x9e0 drivers/comedi/drivers.c:208
>  do_devconfig_ioctl+0x46c/0x580 drivers/comedi/comedi_fops.c:833
>  comedi_unlocked_ioctl+0x15bb/0x2e90 drivers/comedi/comedi_fops.c:2136
>  vfs_ioctl fs/ioctl.c:51 [inline]
>  __do_sys_ioctl fs/ioctl.c:907 [inline]
>  __se_sys_ioctl fs/ioctl.c:893 [inline]
>  __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:893
>  do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
>  do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94
>  entry_SYSCALL_64_after_hwframe+0x77/0x7f

I took a quick look at this, and surely looks like a comedi bug. If you
call the ioctl part (do_devconfig_ioctl()) with a NULL arg, it just does
a detach and frees the device, regardless of whether anyone has it
opened or not?! It's got some odd notion of checking whether it's busy
or not. For this case, someone has a poll active on the device, yet it
still happily frees it.

CC'ing some folks, as this looks utterly broken.

-- 
Jens Axboe

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ