| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <61d6d499.ab89.19b9b7f3186.Coremail.wangzhi_xd@stu.xidian.edu.cn>
Date: Thu, 8 Jan 2026 10:46:02 +0800 (GMT+08:00)
From: 王志 <wangzhi_xd@....xidian.edu.cn>
To: qat-linux@...el.com, linux-crypto@...r.kernel.org,
linux-kernel@...r.kernel.org
Cc: syzkaller-bugs@...glegroups.com
Subject: [syzbot] BUG: KASAN: slab-use-after-free in mutex_lock via
adf_ctl_ioctl
syzbot has found the following issue on:
HEAD commit: 6.18.0 (custom build)
git tree: linux-stable
console output: (see below)
kernel config: (attached)
---
QAT: failed to copy from user.
QAT: Invalid ioctl 1074356517
QAT: Invalid ioctl 1074356517
c6xxvf 0000:00:05.0: Starting acceleration device qat_dev0.
==================================================================
BUG: KASAN: slab-use-after-free in owner_on_cpu home/wmy/Fuzzer/third_tool/linux-6.18/include/linux/sched.h:2282 [inline]
BUG: KASAN: slab-use-after-free in mutex_can_spin_on_owner home/wmy/Fuzzer/third_tool/linux-6.18/kernel/locking/mutex.c:397 [inline]
BUG: KASAN: slab-use-after-free in mutex_optimistic_spin home/wmy/Fuzzer/third_tool/linux-6.18/kernel/locking/mutex.c:440 [inline]
BUG: KASAN: slab-use-after-free in __mutex_lock_common home/wmy/Fuzzer/third_tool/linux-6.18/kernel/locking/mutex.c:602 [inline]
BUG: KASAN: slab-use-after-free in __mutex_lock+0xd0a/0x1160 home/wmy/Fuzzer/third_tool/linux-6.18/kernel/locking/mutex.c:760
Read of size 4 at addr ffff888105139ab4 by task syz.1.1363/5926
CPU: 3 UID: 0 PID: 5926 Comm: syz.1.1363 Tainted: G D 6.18.0 #3 PREEMPT(voluntary)
Tainted: [D]=DIE
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
Call Trace:
BUG: KASAN: slab-use-after-free in owner_on_cpu home/wmy/Fuzzer/third_tool/linux-6.18/include/linux/sched.h:2282 [inline]
BUG: KASAN: slab-use-after-free in mutex_can_spin_on_owner home/wmy/Fuzzer/third_tool/linux-6.18/kernel/locking/mutex.c:397 [inline]
BUG: KASAN: slab-use-after-free in mutex_optimistic_spin home/wmy/Fuzzer/third_tool/linux-6.18/kernel/locking/mutex.c:440 [inline]
BUG: KASAN: slab-use-after-free in __mutex_lock_common home/wmy/Fuzzer/third_tool/linux-6.18/kernel/locking/mutex.c:602 [inline]
BUG: KASAN: slab-use-after-free in __mutex_lock+0xd0a/0x1160 home/wmy/Fuzzer/third_tool/linux-6.18/kernel/locking/mutex.c:760
Read of size 4 at addr ffff888105139ab4 by task syz.1.1363/5926
CPU: 3 UID: 0 PID: 5926 Comm: syz.1.1363 Tainted: G D 6.18.0 #3 PREEMPT(voluntary)
Tainted: [D]=DIE
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
Call Trace:
<TASK>
__dump_stack home/wmy/Fuzzer/third_tool/linux-6.18/lib/dump_stack.c:94 [inline]
dump_stack_lvl+0xdb/0x140 home/wmy/Fuzzer/third_tool/linux-6.18/lib/dump_stack.c:120
print_address_description home/wmy/Fuzzer/third_tool/linux-6.18/mm/kasan/report.c:378 [inline]
print_report+0xcb/0x610 home/wmy/Fuzzer/third_tool/linux-6.18/mm/kasan/report.c:482
kasan_report+0xca/0x100 home/wmy/Fuzzer/third_tool/linux-6.18/mm/kasan/report.c:595
owner_on_cpu home/wmy/Fuzzer/third_tool/linux-6.18/include/linux/sched.h:2282 [inline]
mutex_can_spin_on_owner home/wmy/Fuzzer/third_tool/linux-6.18/kernel/locking/mutex.c:397 [inline]
mutex_optimistic_spin home/wmy/Fuzzer/third_tool/linux-6.18/kernel/locking/mutex.c:440 [inline]
__mutex_lock_common home/wmy/Fuzzer/third_tool/linux-6.18/kernel/locking/mutex.c:602 [inline]
__mutex_lock+0xd0a/0x1160 home/wmy/Fuzzer/third_tool/linux-6.18/kernel/locking/mutex.c:760
adf_dev_up+0x44/0x14c0 home/wmy/Fuzzer/third_tool/linux-6.18/drivers/crypto/intel/qat/qat_common/adf_init.c:473 [intel_qat]
adf_ctl_ioctl+0x1d6/0x1080 [intel_qat]
vfs_ioctl home/wmy/Fuzzer/third_tool/linux-6.18/fs/ioctl.c:51 [inline]
__do_sys_ioctl home/wmy/Fuzzer/third_tool/linux-6.18/fs/ioctl.c:597 [inline]
__se_sys_ioctl home/wmy/Fuzzer/third_tool/linux-6.18/fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0x194/0x210 home/wmy/Fuzzer/third_tool/linux-6.18/fs/ioctl.c:583
do_syscall_x64 home/wmy/Fuzzer/third_tool/linux-6.18/arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xc6/0x390 home/wmy/Fuzzer/third_tool/linux-6.18/arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f59b9be059d
Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f59b8626f98 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f59b9e55fa0 RCX: 00007f59b9be059d
RDX: 00002000000002c0 RSI: 0000000040096102 RDI: 0000000000000008
RBP: 00007f59b9c7e078 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f59b9e56038 R14: 00007f59b9e55fa0 R15: 00007f59b8607000
</TASK>
Allocated by task 149:
kasan_save_stack+0x24/0x50 home/wmy/Fuzzer/third_tool/linux-6.18/mm/kasan/common.c:56
kasan_save_track+0x14/0x30 home/wmy/Fuzzer/third_tool/linux-6.18/mm/kasan/common.c:77
unpoison_slab_object home/wmy/Fuzzer/third_tool/linux-6.18/mm/kasan/common.c:342 [inline]
__kasan_slab_alloc+0x59/0x70 home/wmy/Fuzzer/third_tool/linux-6.18/mm/kasan/common.c:368
kasan_slab_alloc home/wmy/Fuzzer/third_tool/linux-6.18/include/linux/kasan.h:252 [inline]
slab_post_alloc_hook home/wmy/Fuzzer/third_tool/linux-6.18/mm/slub.c:4978 [inline]
slab_alloc_node home/wmy/Fuzzer/third_tool/linux-6.18/mm/slub.c:5288 [inline]
kmem_cache_alloc_noprof+0x20a/0x6d0 home/wmy/Fuzzer/third_tool/linux-6.18/mm/slub.c:5295
getname_flags.part.0+0x50/0x560 home/wmy/Fuzzer/third_tool/linux-6.18/fs/namei.c:146
getname_flags+0x9a/0xe0 home/wmy/Fuzzer/third_tool/linux-6.18/include/linux/audit.h:345
getname home/wmy/Fuzzer/third_tool/linux-6.18/include/linux/fs.h:2924 [inline]
do_sys_openat2+0xa4/0x1c0 home/wmy/Fuzzer/third_tool/linux-6.18/fs/open.c:1431
do_sys_open home/wmy/Fuzzer/third_tool/linux-6.18/fs/open.c:1452 [inline]
__do_sys_openat home/wmy/Fuzzer/third_tool/linux-6.18/fs/open.c:1468 [inline]
__se_sys_openat home/wmy/Fuzzer/third_tool/linux-6.18/fs/open.c:1463 [inline]
__x64_sys_openat+0x144/0x200 home/wmy/Fuzzer/third_tool/linux-6.18/fs/open.c:1463
do_syscall_x64 home/wmy/Fuzzer/third_tool/linux-6.18/arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xc6/0x390 home/wmy/Fuzzer/third_tool/linux-6.18/arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Freed by task 149:
kasan_save_stack+0x24/0x50 home/wmy/Fuzzer/third_tool/linux-6.18/mm/kasan/common.c:56
kasan_save_track+0x14/0x30 home/wmy/Fuzzer/third_tool/linux-6.18/mm/kasan/common.c:77
__kasan_save_free_info+0x3b/0x60 home/wmy/Fuzzer/third_tool/linux-6.18/mm/kasan/generic.c:587
kasan_save_free_info home/wmy/Fuzzer/third_tool/linux-6.18/mm/kasan/kasan.h:406 [inline]
poison_slab_object home/wmy/Fuzzer/third_tool/linux-6.18/mm/kasan/common.c:252 [inline]
__kasan_slab_free+0x43/0x70 home/wmy/Fuzzer/third_tool/linux-6.18/mm/kasan/common.c:284
kasan_slab_free home/wmy/Fuzzer/third_tool/linux-6.18/include/linux/kasan.h:234 [inline]
slab_free_hook home/wmy/Fuzzer/third_tool/linux-6.18/mm/slub.c:2543 [inline]
slab_free home/wmy/Fuzzer/third_tool/linux-6.18/mm/slub.c:6642 [inline]
kmem_cache_free+0x2ad/0x620 home/wmy/Fuzzer/third_tool/linux-6.18/mm/slub.c:6752
putname.part.0+0x120/0x160 home/wmy/Fuzzer/third_tool/linux-6.18/fs/namei.c:297
putname+0x41/0x50 home/wmy/Fuzzer/third_tool/linux-6.18/include/linux/err.h:84
do_sys_openat2+0x141/0x1c0 home/wmy/Fuzzer/third_tool/linux-6.18/fs/open.c:1445
do_sys_open home/wmy/Fuzzer/third_tool/linux-6.18/fs/open.c:1452 [inline]
__do_sys_openat home/wmy/Fuzzer/third_tool/linux-6.18/fs/open.c:1468 [inline]
__se_sys_openat home/wmy/Fuzzer/third_tool/linux-6.18/fs/open.c:1463 [inline]
__x64_sys_openat+0x144/0x200 home/wmy/Fuzzer/third_tool/linux-6.18/fs/open.c:1463
do_syscall_x64 home/wmy/Fuzzer/third_tool/linux-6.18/arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xc6/0x390 home/wmy/Fuzzer/third_tool/linux-6.18/arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The buggy address belongs to the object at ffff888105139100
which belongs to the cache names_cache of size 4096
The buggy address is located 2484 bytes inside of
freed 4096-byte region [ffff888105139100, ffff88810513a100)
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105138
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0x200000000000040(head|node=0|zone=2)
page_type: f5(slab)
raw: 0200000000000040 ffff888100a3fb80 ffffea00006e4800 dead000000000002
raw: 0000000000000000 0000000000070007 00000000f5000000 0000000000000000
head: 0200000000000040 ffff888100a3fb80 ffffea00006e4800 dead000000000002
head: 0000000000000000 0000000000070007 00000000f5000000 0000000000000000
head: 0200000000000003 ffffea0004144e01 00000000ffffffff 00000000ffffffff
head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000008
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff888105139980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888105139a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888105139a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888105139b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888105139b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Download attachment "(2).config" of type "application/octet-stream" (291629 bytes)
Powered by blists - more mailing lists