lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CANypQFZASBzSq50h4Ate1u0QoZwpdu-k2jvr1q5KjFa0Z6ipiw@mail.gmail.com>
Date: Fri, 17 Oct 2025 16:08:20 +0800
From: Jiaming Zhang <r772577952@...il.com>
To: linux-kernel@...r.kernel.org
Cc: bp@...en8.de, dave.hansen@...ux.intel.com, hpa@...or.com, 
	kai.huang@...el.com, mingo@...hat.com, peterz@...radead.org, 
	tglx@...utronix.de, x86@...nel.org
Subject: [Linux Kernel Bug] KASAN: slab-use-after-free Read in assign_work

Dear Linux kernel developers and maintainers:

We are writing to report a slab-use-after-free bug in assign_work,
discovered with our modified version of syzkaller.

This issue was initially found in kernel v6.18-rc1 (commit
3a8660878839faadb4f1a6dd72c3179c1df56787). Unfortunately, we do not
yet have a stable C/Syz program to reproduce this bug. We are
currently analyzing the root cause and working to create a reliable
reproducer, which we will share as soon as it is available.

Attached are the kernel console output, .config file, and formatted
bug report for your analysis. The KASAN report from v6.18-rc1,
formatted by syz-symbolize, is also listed below:

==================================================================
BUG: KASAN: slab-use-after-free in
__list_del_entry_valid_or_report+0xb5/0x190 lib/list_debug.c:65
Read of size 8 at addr ffff8880532ed290 by task kworker/1:5/12421

CPU: 1 UID: 0 PID: 12421 Comm: kworker/1:5 Not tainted 6.18.0-rc1 #1
PREEMPT(full)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
Workqueue:  0x0 (events)
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x1c1/0x2a0 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0x17e/0x810 mm/kasan/report.c:482
 kasan_report+0x147/0x180 mm/kasan/report.c:595
 __list_del_entry_valid_or_report+0xb5/0x190 lib/list_debug.c:65
 __list_del_entry_valid include/linux/list.h:132 [inline]
 __list_del_entry include/linux/list.h:223 [inline]
 list_move_tail include/linux/list.h:318 [inline]
 move_linked_works kernel/workqueue.c:1153 [inline]
 assign_work+0x21b/0x440 kernel/workqueue.c:1205
 worker_thread+0x88f/0xda0 kernel/workqueue.c:3426
 kthread+0x711/0x8a0 kernel/kthread.c:463
 ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>

Allocated by task 1896:
 kasan_save_stack mm/kasan/common.c:56 [inline]
 kasan_save_track+0x3e/0x80 mm/kasan/common.c:77
 poison_kmalloc_redzone mm/kasan/common.c:400 [inline]
 __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:417
 kasan_kmalloc include/linux/kasan.h:262 [inline]
 __do_kmalloc_node mm/slub.c:5627 [inline]
 __kvmalloc_node_noprof+0x5cf/0x910 mm/slub.c:7081
 alloc_netdev_mqs+0xa6/0x11b0 net/core/dev.c:11900
 usbnet_probe+0x208/0x2870 drivers/net/usb/usbnet.c:1733
 usb_probe_interface+0x668/0xc30 drivers/usb/core/driver.c:396
 really_probe+0x26d/0x9f0 drivers/base/dd.c:659
 __driver_probe_device+0x190/0x390 drivers/base/dd.c:801
 driver_probe_device+0x4f/0x430 drivers/base/dd.c:831
 __device_attach_driver+0x2ce/0x530 drivers/base/dd.c:959
 bus_for_each_drv+0x251/0x2e0 drivers/base/bus.c:462
 __device_attach+0x2b7/0x400 drivers/base/dd.c:1031
 bus_probe_device+0x185/0x260 drivers/base/bus.c:537
 device_add+0x7b6/0xb50 drivers/base/core.c:3689
 usb_set_configuration+0x1a5c/0x20b0 drivers/usb/core/message.c:2210
 usb_generic_driver_probe+0x8d/0x150 drivers/usb/core/generic.c:250
 usb_probe_device+0x1c4/0x390 drivers/usb/core/driver.c:291
 really_probe+0x26d/0x9f0 drivers/base/dd.c:659
 __driver_probe_device+0x190/0x390 drivers/base/dd.c:801
 driver_probe_device+0x4f/0x430 drivers/base/dd.c:831
 __device_attach_driver+0x2ce/0x530 drivers/base/dd.c:959
 bus_for_each_drv+0x251/0x2e0 drivers/base/bus.c:462
 __device_attach+0x2b7/0x400 drivers/base/dd.c:1031
 bus_probe_device+0x185/0x260 drivers/base/bus.c:537
 device_add+0x7b6/0xb50 drivers/base/core.c:3689
 usb_new_device+0xb9d/0x1a00 drivers/usb/core/hub.c:2694
 hub_port_connect drivers/usb/core/hub.c:5566 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5706 [inline]
 port_event drivers/usb/core/hub.c:5870 [inline]
 hub_event+0x290c/0x49a0 drivers/usb/core/hub.c:5952
 process_one_work kernel/workqueue.c:3263 [inline]
 process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3346
 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3427
 kthread+0x711/0x8a0 kernel/kthread.c:463
 ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

Freed by task 1896:
 kasan_save_stack mm/kasan/common.c:56 [inline]
 kasan_save_track+0x3e/0x80 mm/kasan/common.c:77
 __kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:587
 kasan_save_free_info mm/kasan/kasan.h:406 [inline]
 poison_slab_object mm/kasan/common.c:252 [inline]
 __kasan_slab_free+0x58/0x80 mm/kasan/common.c:284
 kasan_slab_free include/linux/kasan.h:234 [inline]
 slab_free_hook mm/slub.c:2523 [inline]
 slab_free mm/slub.c:6611 [inline]
 kfree+0x19a/0x6d0 mm/slub.c:6818
 device_release+0x9c/0x1c0
 kobject_cleanup lib/kobject.c:689 [inline]
 kobject_release lib/kobject.c:720 [inline]
 kref_put include/linux/kref.h:65 [inline]
 kobject_put+0x22b/0x480 lib/kobject.c:737
 usb_unbind_interface+0x26e/0x910 drivers/usb/core/driver.c:458
 device_remove drivers/base/dd.c:571 [inline]
 __device_release_driver drivers/base/dd.c:1274 [inline]
 device_release_driver_internal+0x4d9/0x800 drivers/base/dd.c:1297
 bus_remove_device+0x34d/0x410 drivers/base/bus.c:579
 device_del+0x4fb/0x8d0 drivers/base/core.c:3878
 usb_disable_device+0x3e9/0x8a0 drivers/usb/core/message.c:1418
 usb_disconnect+0x330/0x950 drivers/usb/core/hub.c:2344
 hub_port_connect drivers/usb/core/hub.c:5406 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5706 [inline]
 port_event drivers/usb/core/hub.c:5870 [inline]
 hub_event+0x1cfb/0x49a0 drivers/usb/core/hub.c:5952
 process_one_work kernel/workqueue.c:3263 [inline]
 process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3346
 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3427
 kthread+0x711/0x8a0 kernel/kthread.c:463
 ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

Last potentially related work creation:
 kasan_save_stack+0x3e/0x60 mm/kasan/common.c:56
 kasan_record_aux_stack+0xbd/0xd0 mm/kasan/generic.c:559
 insert_work+0x3d/0x330 kernel/workqueue.c:2186
 __queue_work+0xcd2/0xfb0 kernel/workqueue.c:2341
 queue_work_on+0x170/0x280 kernel/workqueue.c:2392
 queue_work include/linux/workqueue.h:669 [inline]
 schedule_work include/linux/workqueue.h:730 [inline]
 usbnet_defer_kevent+0xd1/0x220 drivers/net/usb/usbnet.c:479
 usbnet_probe+0x1e45/0x2870 drivers/net/usb/usbnet.c:1875
 usb_probe_interface+0x668/0xc30 drivers/usb/core/driver.c:396
 really_probe+0x26d/0x9f0 drivers/base/dd.c:659
 __driver_probe_device+0x190/0x390 drivers/base/dd.c:801
 driver_probe_device+0x4f/0x430 drivers/base/dd.c:831
 __device_attach_driver+0x2ce/0x530 drivers/base/dd.c:959
 bus_for_each_drv+0x251/0x2e0 drivers/base/bus.c:462
 __device_attach+0x2b7/0x400 drivers/base/dd.c:1031
 bus_probe_device+0x185/0x260 drivers/base/bus.c:537
 device_add+0x7b6/0xb50 drivers/base/core.c:3689
 usb_set_configuration+0x1a5c/0x20b0 drivers/usb/core/message.c:2210
 usb_generic_driver_probe+0x8d/0x150 drivers/usb/core/generic.c:250
 usb_probe_device+0x1c4/0x390 drivers/usb/core/driver.c:291
 really_probe+0x26d/0x9f0 drivers/base/dd.c:659
 __driver_probe_device+0x190/0x390 drivers/base/dd.c:801
 driver_probe_device+0x4f/0x430 drivers/base/dd.c:831
 __device_attach_driver+0x2ce/0x530 drivers/base/dd.c:959
 bus_for_each_drv+0x251/0x2e0 drivers/base/bus.c:462
 __device_attach+0x2b7/0x400 drivers/base/dd.c:1031
 bus_probe_device+0x185/0x260 drivers/base/bus.c:537
 device_add+0x7b6/0xb50 drivers/base/core.c:3689
 usb_new_device+0xb9d/0x1a00 drivers/usb/core/hub.c:2694
 hub_port_connect drivers/usb/core/hub.c:5566 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5706 [inline]
 port_event drivers/usb/core/hub.c:5870 [inline]
 hub_event+0x290c/0x49a0 drivers/usb/core/hub.c:5952
 process_one_work kernel/workqueue.c:3263 [inline]
 process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3346
 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3427
 kthread+0x711/0x8a0 kernel/kthread.c:463
 ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

The buggy address belongs to the object at ffff8880532ec000
 which belongs to the cache kmalloc-cg-8k of size 8192
The buggy address is located 4752 bytes inside of
 freed 8192-byte region [ffff8880532ec000, ffff8880532ee000)

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x532e8
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
memcg:ffff88805aeda9c1
flags: 0x4fff00000000040(head|node=1|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 04fff00000000040 ffff88801a04b640 ffffea0001d4e000 dead000000000002
raw: 0000000000000000 0000000000020002 00000000f5000000 ffff88805aeda9c1
head: 04fff00000000040 ffff88801a04b640 ffffea0001d4e000 dead000000000002
head: 0000000000000000 0000000000020002 00000000f5000000 ffff88805aeda9c1
head: 04fff00000000003 ffffea00014cba01 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask
0x528c0(GFP_NOWAIT|__GFP_IO|__GFP_FS|__GFP_NORETRY|__GFP_COMP), pid
31168, tgid 31152 (syz.4.1458), ts 244486637004, free_ts 244476854088
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1850
 prep_new_page mm/page_alloc.c:1858 [inline]
 get_page_from_freelist+0x2369/0x2440 mm/page_alloc.c:3884
 __alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5183
 alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2416
 alloc_slab_page mm/slub.c:3039 [inline]
 allocate_slab+0x96/0x3a0 mm/slub.c:3212
 new_slab mm/slub.c:3266 [inline]
 ___slab_alloc+0xe9c/0x18d0 mm/slub.c:4636
 __slab_alloc+0x65/0x100 mm/slub.c:4755
 __slab_alloc_node mm/slub.c:4831 [inline]
 slab_alloc_node mm/slub.c:5253 [inline]
 __do_kmalloc_node mm/slub.c:5626 [inline]
 __kvmalloc_node_noprof+0x6bc/0x910 mm/slub.c:7081
 kvm_arch_alloc_vm arch/x86/include/asm/kvm_host.h:2009 [inline]
 kvm_create_vm virt/kvm/kvm_main.c:1116 [inline]
 kvm_dev_ioctl_create_vm virt/kvm/kvm_main.c:5492 [inline]
 kvm_dev_ioctl+0x123/0x1570 virt/kvm/kvm_main.c:5534
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:597 [inline]
 __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xf3/0xfa0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 5248 tgid 5248 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1394 [inline]
 __free_frozen_pages+0xbc0/0xd40 mm/page_alloc.c:2906
 __slab_free+0x2e7/0x390 mm/slub.c:5947
 qlink_free mm/kasan/quarantine.c:163 [inline]
 qlist_free_all+0x97/0x140 mm/kasan/quarantine.c:179
 kasan_quarantine_reduce+0x148/0x160 mm/kasan/quarantine.c:286
 __kasan_slab_alloc+0x22/0x80 mm/kasan/common.c:352
 kasan_slab_alloc include/linux/kasan.h:252 [inline]
 slab_post_alloc_hook mm/slub.c:4955 [inline]
 slab_alloc_node mm/slub.c:5265 [inline]
 kmem_cache_alloc_noprof+0x367/0x6e0 mm/slub.c:5272
 getname_flags+0xb8/0x540 fs/namei.c:146
 getname include/linux/fs.h:2922 [inline]
 getname_maybe_null include/linux/fs.h:2929 [inline]
 vfs_fstatat fs/stat.c:370 [inline]
 vfs_stat include/linux/fs.h:3591 [inline]
 __do_sys_newstat fs/stat.c:515 [inline]
 __se_sys_newstat fs/stat.c:509 [inline]
 __x64_sys_newstat+0xcc/0x170 fs/stat.c:509
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xf3/0xfa0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Memory state around the buggy address:
 ffff8880532ed180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8880532ed200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8880532ed280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                         ^
 ffff8880532ed300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8880532ed380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Please let us know if any further information would be helpful.

Best regards,
Jiaming Zhang

Download attachment "report" of type "application/octet-stream" (14487 bytes)

Download attachment "log" of type "application/octet-stream" (149276 bytes)

Download attachment ".config" of type "application/xml" (276254 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ