<div dir="ltr">Hi,<br><br>We use our modified Syzkaller to fuzz the Linux kernel and found the following issue.<br><br>Head Commit: 4c893ff55907c61456bcb917781c0dd687a1e123<br>Git Tree: stable<br><br>Kernel config: <a href="https://pastebin.com/raw/BiggLxRg">https://pastebin.com/raw/BiggLxRg</a><br style="color:rgba(0,0,0,0.87);font-family:Roboto,RobotoDraft,Helvetica,Arial,sans-serif;font-size:14px"><div><br></div><div>Unfortunately, I don't have any reproducer for this crash yet.<br></div><div>IMPORTANT: if you fix the bug, please add the following tag to the commit:<br>Reported-by: <a href="mailto:lanyang0908@gmail.com">lanyang0908@gmail.com</a><br></div><div><br></div><div>I guess that it is possible incurred by race condition?</div><div>Firstly, fb_videomode_to_var+0x2fc is corresponding to the field "xres" in the struct fb_videomode. Although before converting fb_videomode to fb_var_screeninfo, the system already checks whether the object mode is NULL, this object has possibility to be freed by other threads at this moment?</div><div><br></div><div>How do you think?</div><div><br></div><div>Related source code:</div><div>static int fbcon_resize(struct vc_data *vc, unsigned int width, <br> unsigned int height, unsigned int user)<br>{ ...<br> mode = fb_find_best_mode(&var, &info->modelist);<br> if (mode == NULL)<br> return -EINVAL;<br> display_to_var(&var, p);<br> fb_videomode_to_var(&var, mode);<br> ...<br>}<br></div><div><br></div><div>void fb_videomode_to_var(struct fb_var_screeninfo *var,<br> const struct fb_videomode *mode)<br>{<br> var->xres = mode->xres;<br> ...<br>}</div><div><br></div><div>Crash log:</div><div>==================================================================<br>BUG: KASAN: use-after-free in fb_videomode_to_var+0x2fc/0x5d0<br>Read of size 4 at addr ffff8880495c661c by task syz-executor.4/16705<br><br>CPU: 1 PID: 16705 Comm: syz-executor.4 Not tainted 5.10.180+ #6<br>Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014<br>Call Trace:<br> dump_stack+0x172/0x21e <br> ? stack_trace_save+0x107/0x1e0 <br> ? show_regs_print_info+0x12/0x12 <br> ? printk+0xc0/0x103 <br> print_address_description+0x66/0x640 <br> ? log_buf_vmcoreinfo_setup+0x45d/0x45d <br> ? _raw_spin_lock_irqsave+0xbf/0x100 <br> ? stack_trace_save+0x107/0x1e0 <br> ? stack_trace_snprint+0xe0/0xe0 <br> kasan_report+0x141/0x1f0 <br> ? fb_videomode_to_var+0x2fc/0x5d0 <br> ? fb_videomode_to_var+0x2fc/0x5d0 <br> ? fbcon_resize+0x627/0x17f0 <br> ? fbcon_copy_font+0x130/0x130 <br> ? __kmalloc+0x224/0x300 <br> ? kzalloc+0x1d/0x40 <br> ? fbcon_copy_font+0x130/0x130 <br> ? vc_do_resize+0x7b7/0x18f0 <br> ? vc_resize+0x50/0x50 <br> ? _raw_spin_unlock_irqrestore+0x2e/0x60 <br> ? lockdep_hardirqs_on+0x90/0x140 <br> ? vt_ioctl+0x32f1/0x3ff0 <br> ? mark_lock+0x1ac/0x1dc0 <br> ? __vt_event_wait+0x230/0x230 <br> ? __bfs+0x660/0x660 <br> ? __bfs+0x660/0x660 <br> ? trace_lock_acquire+0x1a0/0x1a0 <br> ? rcu_read_lock_sched_held+0x87/0x110 <br> ? __bpf_trace_rcu_utilization+0x10/0x10 <br> ? __lock_acquire+0x1264/0x2b10 <br> ? __lock_acquire+0x1264/0x2b10 <br> ? trace_lock_acquire+0x1a0/0x1a0 <br> ? tty_ioctl+0xf2a/0x1700 <br> ? tty_do_resize+0x180/0x180 <br> ? rcu_lock_release+0x9/0x20 <br> ? __lock_acquire+0x2b10/0x2b10 <br> ? __fget_files+0x37c/0x3b0 <br> ? __fdget+0x18f/0x210 <br> ? tty_do_resize+0x180/0x180 <br> ? __x64_sys_ioctl+0x119/0x190 <br> ? do_syscall_64+0x74/0xc0 <br> ? entry_SYSCALL_64_after_hwframe+0x44/0xa9 <br><br>Allocated by task 7679:<br> __kasan_kmalloc+0x102/0x140<br> __kmalloc_node+0x262/0x380<br> kvmalloc_node+0x81/0x110<br> alloc_fdtable+0x151/0x260<br> dup_fd+0x880/0xd00<br> copy_process+0x1b66/0x5e80<br><br>The buggy address belongs to the object at ffff8880495c6600<br> which belongs to the cache kmalloc-96 of size 96<br>The buggy address is located 28 bytes inside of<br> 96-byte region [ffff8880495c6600, ffff8880495c6660)<br>The buggy address belongs to the page:<br>page:0000000005617347 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff8880495c6c80 pfn:0x495c6<br>flags: 0x4fff00000000200(slab)<br>raw: 04fff00000000200 ffffea0000629680 0000000200000002 ffff88800ec41780<br>raw: ffff8880495c6c80 000000008020001c 00000001ffffffff 0000000000000000<br>page dumped because: kasan: bad access detected<br>page_owner tracks the page as allocated<br>page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY)<br> prep_new_page+0x16/0xa0<br> get_page_from_freelist+0xa3d/0xcb0<br> __alloc_pages_nodemask+0x225/0x580<br> allocate_slab+0xb4/0x520<br> ___slab_alloc+0x1df/0x330<br> kmem_cache_alloc_trace+0x288/0x2c0<br> __hw_addr_sync+0x3c0/0xb30<br> dev_mc_sync+0xdb/0x1a0<br> vlan_dev_set_rx_mode+0x47/0x70<br> __dev_mc_add+0x3ed/0x510<br> igmp6_group_added+0x1a0/0x880<br> __ipv6_dev_mc_inc+0x8c1/0xb60<br> addrconf_dad_work+0x3f2/0x2040<br> process_one_work+0x83b/0x10a0<br> worker_thread+0xa94/0x1440<br> kthread+0x3af/0x3d0<br>page last free stack trace:<br> free_pcp_prepare+0x1dc/0x410<br> free_unref_page+0x6a/0x220<br> tlb_remove_table_rcu+0x78/0xf0<br> rcu_core+0x81a/0x1190<br> __do_softirq+0x376/0x72b<br> asm_call_irq_on_stack+0xf/0x20<br><br>Memory state around the buggy address:<br> ffff8880495c6500: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc<br> ffff8880495c6580: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc<br>>ffff8880495c6600: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc<br> ^<br> ffff8880495c6680: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc<br> ffff8880495c6700: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc<br>==================================================================<br>Disabling lock debugging due to kernel taint<br>Kernel panic - not syncing: panic_on_warn set ...<br>CPU: 1 PID: 16705 Comm: syz-executor.4 Tainted: G B 5.10.180+ #6<br>Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014<br>Call Trace:<br> dump_stack+0x172/0x21e <br> ? log_buf_vmcoreinfo_setup+0x45d/0x45d <br> ? show_regs_print_info+0x12/0x12 <br> ? __irq_exit_rcu+0xc5/0x260 <br> ? irq_exit_rcu+0x20/0x20 <br> panic+0x2b6/0x7d0 <br> ? schedule_preempt_disabled+0x20/0x20 <br> ? trace_hardirqs_on+0x32/0x80 <br> ? nmi_panic+0x80/0x80 <br> ? preempt_schedule_thunk+0x16/0x18 <br> ? trace_hardirqs_on+0x32/0x80 <br> kasan_report+0x1e5/0x1f0 <br> ? fb_videomode_to_var+0x2fc/0x5d0 <br> ? fb_videomode_to_var+0x2fc/0x5d0 <br> ? fbcon_resize+0x627/0x17f0 <br> ? fbcon_copy_font+0x130/0x130 <br> ? __kmalloc+0x224/0x300 <br> ? kzalloc+0x1d/0x40 <br> ? fbcon_copy_font+0x130/0x130 <br> ? vc_do_resize+0x7b7/0x18f0 <br> ? vc_resize+0x50/0x50 <br> ? _raw_spin_unlock_irqrestore+0x2e/0x60 <br> ? lockdep_hardirqs_on+0x90/0x140 <br> ? vt_ioctl+0x32f1/0x3ff0 <br> ? mark_lock+0x1ac/0x1dc0 <br> ? __vt_event_wait+0x230/0x230 <br> ? __bfs+0x660/0x660 <br> ? __bfs+0x660/0x660 <br> ? trace_lock_acquire+0x1a0/0x1a0 <br> ? rcu_read_lock_sched_held+0x87/0x110 <br> ? __bpf_trace_rcu_utilization+0x10/0x10 <br> ? __lock_acquire+0x1264/0x2b10 <br> ? __lock_acquire+0x1264/0x2b10 <br> ? trace_lock_acquire+0x1a0/0x1a0 <br> ? tty_ioctl+0xf2a/0x1700 <br> ? tty_do_resize+0x180/0x180 <br> ? rcu_lock_release+0x9/0x20 <br> ? __lock_acquire+0x2b10/0x2b10 <br> ? __fget_files+0x37c/0x3b0 <br> ? __fdget+0x18f/0x210 <br> ? tty_do_resize+0x180/0x180 <br> ? __x64_sys_ioctl+0x119/0x190 <br> ? do_syscall_64+0x74/0xc0 <br> ? entry_SYSCALL_64_after_hwframe+0x44/0xa9 <br>Kernel Offset: disabled<br>Rebooting in 86400 seconds..</div><div><div><br></div><div><br></div><div>Best regards,</div><div><br></div><div>Yang</div></div></div>