Bug 1200050 (CVE-2022-1976)

Summary: VUL-0: CVE-2022-1976: kernel: use-after-free in __lock_acquire
Product: [Novell Products] SUSE Security Incidents Reporter: Thomas Leroy <thomas.leroy>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P5 - None CC: ddiss, meissner, rgoldwyn, tiwai
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/333232/
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: CVE-2022-1976.patch

Description Thomas Leroy 2022-05-31 07:03:01 UTC 
From linux-distros ML:

# Original Report

Hi Security Officers,

I found a vulnerability when fuzzing linux kernel by syzkaller. The KASAN reports that use-after-free in __lock_acquire. Then I tried to reproduce and got the C source file. I compiled it and executed the binary program. After waiting several minutes, the kernel crashed. This vulnerability can be used to LPE as UAF, I thought.

I searched the bugs reported history and found some had the same title. But this is a different one, as the call traceback includes io_uring functions. Please check it.

## Linux version:

5.18.0 (master commit 143a6252e1b8ab424b4b293512a97cca7295c182)

## KASAN report
==================================================================
BUG: KASAN: use-after-free in __lock_acquire+0x385f/0x5840 root/opt/kernel/kernel/locking/lockdep.c:4899
Read of size 8 at addr ffff8880682db3b8 by task kworker/1:9/9642

CPU: 1 PID: 9642 Comm: kworker/1:9 Not tainted 5.18.0 #7
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
Workqueue: events io_fallback_req_func
Call Trace:
 <TASK>
 __dump_stack root/opt/kernel/lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xcd/0x134 root/opt/kernel/lib/dump_stack.c:106
 print_address_description root/opt/kernel/mm/kasan/report.c:313 [inline]
 print_report.cold+0xe5/0x659 root/opt/kernel/mm/kasan/report.c:429
 kasan_report+0x8a/0x1b0 root/opt/kernel/mm/kasan/report.c:491
 __lock_acquire+0x385f/0x5840 root/opt/kernel/kernel/locking/lockdep.c:4899
 lock_acquire root/opt/kernel/kernel/locking/lockdep.c:5641 [inline]
 lock_acquire+0x1ab/0x520 root/opt/kernel/kernel/locking/lockdep.c:5606
 __raw_spin_lock_irq root/opt/kernel/./include/linux/spinlock_api_smp.h:119 [inline]
 _raw_spin_lock_irq+0x32/0x50 root/opt/kernel/kernel/locking/spinlock.c:170
 spin_lock_irq root/opt/kernel/./include/linux/spinlock.h:374 [inline]
 io_poll_remove_entry root/opt/kernel/fs/io_uring.c:6840 [inline]
 io_poll_remove_entries.part.0+0x15f/0x7d0 root/opt/kernel/fs/io_uring.c:6873
 io_poll_remove_entries root/opt/kernel/fs/io_uring.c:6853 [inline]
 io_poll_task_func+0x187/0x500 root/opt/kernel/fs/io_uring.c:6971
 io_fallback_req_func+0xfa/0x1b0 root/opt/kernel/fs/io_uring.c:1824
 process_one_work+0x9cc/0x1650 root/opt/kernel/kernel/workqueue.c:2289
 worker_thread+0x623/0x1070 root/opt/kernel/kernel/workqueue.c:2436
 kthread+0x2e9/0x3a0 root/opt/kernel/kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 root/opt/kernel/arch/x86/entry/entry_64.S:302
 </TASK>

Allocated by task 11840:
 kasan_save_stack+0x1e/0x40 root/opt/kernel/mm/kasan/common.c:38
 kasan_set_track root/opt/kernel/mm/kasan/common.c:45 [inline]
 set_alloc_info root/opt/kernel/mm/kasan/common.c:436 [inline]
 ____kasan_kmalloc root/opt/kernel/mm/kasan/common.c:515 [inline]
 ____kasan_kmalloc root/opt/kernel/mm/kasan/common.c:474 [inline]
 __kasan_kmalloc+0xa9/0xd0 root/opt/kernel/mm/kasan/common.c:524
 kasan_kmalloc root/opt/kernel/./include/linux/kasan.h:234 [inline]
 __kmalloc+0x1c9/0x4c0 root/opt/kernel/mm/slub.c:4414
 io_ring_ctx_alloc root/opt/kernel/fs/io_uring.c:1838 [inline]
 io_uring_create root/opt/kernel/fs/io_uring.c:12396 [inline]
 io_uring_setup.cold+0x176/0x2a59 root/opt/kernel/fs/io_uring.c:12535
 do_syscall_x64 root/opt/kernel/arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 root/opt/kernel/arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x46/0xb0

Freed by task 787:
 kasan_save_stack+0x1e/0x40 root/opt/kernel/mm/kasan/common.c:38
 kasan_set_track+0x21/0x30 root/opt/kernel/mm/kasan/common.c:45
 kasan_set_free_info+0x20/0x30 root/opt/kernel/mm/kasan/generic.c:370
 ____kasan_slab_free root/opt/kernel/mm/kasan/common.c:366 [inline]
 ____kasan_slab_free root/opt/kernel/mm/kasan/common.c:328 [inline]
 __kasan_slab_free+0x11d/0x190 root/opt/kernel/mm/kasan/common.c:374
 kasan_slab_free root/opt/kernel/./include/linux/kasan.h:200 [inline]
 slab_free_hook root/opt/kernel/mm/slub.c:1728 [inline]
 slab_free_freelist_hook root/opt/kernel/mm/slub.c:1754 [inline]
 slab_free root/opt/kernel/mm/slub.c:3510 [inline]
 kfree+0xec/0x4b0 root/opt/kernel/mm/slub.c:4552
 io_ring_ctx_free root/opt/kernel/fs/io_uring.c:11159 [inline]
 io_ring_exit_work+0xefb/0xf43 root/opt/kernel/fs/io_uring.c:11303
 process_one_work+0x9cc/0x1650 root/opt/kernel/kernel/workqueue.c:2289
 worker_thread+0x623/0x1070 root/opt/kernel/kernel/workqueue.c:2436
 kthread+0x2e9/0x3a0 root/opt/kernel/kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 root/opt/kernel/arch/x86/entry/entry_64.S:302

Last potentially related work creation:
 kasan_save_stack+0x1e/0x40 root/opt/kernel/mm/kasan/common.c:38
 __kasan_record_aux_stack+0xbe/0xd0 root/opt/kernel/mm/kasan/generic.c:348
 insert_work+0x4a/0x390 root/opt/kernel/kernel/workqueue.c:1358
 __queue_work+0x4dd/0x1140 root/opt/kernel/kernel/workqueue.c:1517
 queue_work_on+0xee/0x110 root/opt/kernel/kernel/workqueue.c:1545
 queue_work root/opt/kernel/./include/linux/workqueue.h:502 [inline]
 io_ring_ctx_wait_and_kill+0x2b6/0x2ec root/opt/kernel/fs/io_uring.c:11357
 io_uring_release+0x42/0x46 root/opt/kernel/fs/io_uring.c:11365
 __fput+0x277/0x9d0 root/opt/kernel/fs/file_table.c:317
 task_work_run+0xe0/0x1a0 root/opt/kernel/kernel/task_work.c:177
 exit_task_work root/opt/kernel/./include/linux/task_work.h:38 [inline]
 do_exit+0xb16/0x2dc0 root/opt/kernel/kernel/exit.c:795
 do_group_exit+0xd2/0x2f0 root/opt/kernel/kernel/exit.c:925
 get_signal+0x2847/0x2880 root/opt/kernel/kernel/signal.c:2864
 arch_do_signal_or_restart+0x81/0x1e30 root/opt/kernel/arch/x86/kernel/signal.c:869
 exit_to_user_mode_loop root/opt/kernel/kernel/entry/common.c:166 [inline]
 exit_to_user_mode_prepare+0x174/0x260 root/opt/kernel/kernel/entry/common.c:201
 __syscall_exit_to_user_mode_work root/opt/kernel/kernel/entry/common.c:283 [inline]
 syscall_exit_to_user_mode+0x19/0x60 root/opt/kernel/kernel/entry/common.c:294
 do_syscall_64+0x42/0xb0 root/opt/kernel/arch/x86/entry/common.c:86
 entry_SYSCALL_64_after_hwframe+0x46/0xb0

The buggy address belongs to the object at ffff8880682db000
 which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 952 bytes inside of
 2048-byte region [ffff8880682db000, ffff8880682db800)

The buggy address belongs to the physical page:
page:ffffea0001a0b600 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x682d8
head:ffffea0001a0b600 order:3 compound_mapcount:0 compound_pincount:0
flags: 0x4fff00000010200(slab|head|node=1|zone=1|lastcpupid=0x7ff)
raw: 04fff00000010200 ffffea00019e8e00 dead000000000002 ffff888010c42000
raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 6529, tgid 6529 (syz-executor.2), ts 33495069085, free_ts 0
 set_page_owner root/opt/kernel/./include/linux/page_owner.h:31 [inline]
 post_alloc_hook root/opt/kernel/mm/page_alloc.c:2434 [inline]
 prep_new_page+0x297/0x330 root/opt/kernel/mm/page_alloc.c:2441
 get_page_from_freelist+0x210e/0x3ab0 root/opt/kernel/mm/page_alloc.c:4182
 __alloc_pages+0x30c/0x6e0 root/opt/kernel/mm/page_alloc.c:5408
 alloc_pages+0x119/0x250 root/opt/kernel/mm/mempolicy.c:2272
 alloc_slab_page root/opt/kernel/mm/slub.c:1799 [inline]
 allocate_slab root/opt/kernel/mm/slub.c:1944 [inline]
 new_slab+0x2a9/0x3f0 root/opt/kernel/mm/slub.c:2004
 ___slab_alloc+0xc62/0x1080 root/opt/kernel/mm/slub.c:3005
 __slab_alloc.isra.0+0x4d/0xa0 root/opt/kernel/mm/slub.c:3092
 slab_alloc_node root/opt/kernel/mm/slub.c:3183 [inline]
 slab_alloc root/opt/kernel/mm/slub.c:3225 [inline]
 kmem_cache_alloc_trace+0x383/0x460 root/opt/kernel/mm/slub.c:3256
 kmalloc root/opt/kernel/./include/linux/slab.h:581 [inline]
 kzalloc root/opt/kernel/./include/linux/slab.h:714 [inline]
 ipv6_add_dev root/opt/kernel/net/ipv6/addrconf.c:378 [inline]
 ipv6_add_dev+0xfe/0x12d0 root/opt/kernel/net/ipv6/addrconf.c:368
 addrconf_notify+0x614/0x1bb0 root/opt/kernel/net/ipv6/addrconf.c:3521
 notifier_call_chain+0xb5/0x200 root/opt/kernel/kernel/notifier.c:84
 call_netdevice_notifiers_info root/opt/kernel/net/core/dev.c:1938 [inline]
 call_netdevice_notifiers_info+0xb5/0x130 root/opt/kernel/net/core/dev.c:1923
 call_netdevice_notifiers_extack root/opt/kernel/net/core/dev.c:1976 [inline]
 call_netdevice_notifiers root/opt/kernel/net/core/dev.c:1990 [inline]
 register_netdevice+0xeb5/0x12b0 root/opt/kernel/net/core/dev.c:9994
 veth_newlink+0x405/0xa90 root/opt/kernel/drivers/net/veth.c:1764
 __rtnl_newlink+0xf52/0x1600 root/opt/kernel/net/core/rtnetlink.c:3483
 rtnl_newlink+0x64/0xa0 root/opt/kernel/net/core/rtnetlink.c:3531
page_owner free stack trace missing

Memory state around the buggy address:
 ffff8880682db280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8880682db300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8880682db380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                        ^
 ffff8880682db400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8880682db480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
Comment 2 Marcus Meissner 2022-06-02 08:02:24 UTC 
Created attachment 859377 [details]
CVE-2022-1976.patch

jens axboe proposed fix.
Comment 3 Takashi Iwai 2022-06-05 07:23:01 UTC 
(In reply to Marcus Meissner from comment #2)
> Created attachment 859377 [details]
> CVE-2022-1976.patch
> 
> jens axboe proposed fix.

The corresponding upstream commit 9cae36a094e7e9d6e5fe8b6dcd4642138b3eb0c7
    io_uring: reinstate the inflight tracking

David, could you take a look?
Comment 4 David Disseldorp 2022-06-06 15:47:06 UTC 
(In reply to Takashi Iwai from comment #3)
> (In reply to Marcus Meissner from comment #2)
> > Created attachment 859377 [details]
> > CVE-2022-1976.patch
> > 
> > jens axboe proposed fix.
> 
> The corresponding upstream commit 9cae36a094e7e9d6e5fe8b6dcd4642138b3eb0c7
>     io_uring: reinstate the inflight tracking
> 
> David, could you take a look?

I think we're okay here, as we're not carrying the d5361233e9ab ("io_uring: drop the old style inflight file tracking") regression outside of stable.

d5361233e9ab was committed for v5.18-rc2 as another syzkaller fix for 6bf9c47a3989 ("io_uring: defer file assignment"), which we're also not carrying.

Should I commit the 9cae36a094e7e9d6e5fe8b6dcd4642138b3eb0c7 fix for stable / tumbleweed? It looks a few other mainline changes will be needed to avoid diverging too much.
Comment 5 Takashi Iwai 2022-06-06 16:21:12 UTC 
For stable/master, usually stable tree brings the fix in a timely manner.
Comment 6 David Disseldorp 2022-06-07 07:49:32 UTC 
(In reply to Takashi Iwai from comment #5)
> For stable/master, usually stable tree brings the fix in a timely manner.

Thanks Takashi, in that case I'll let this wait for the next stable merge. As per comment#4, I think this ticket can be close. Reassigning to security team.
Comment 7 Thomas Leroy 2022-06-07 08:28:52 UTC 
(In reply to David Disseldorp from comment #6)
> (In reply to Takashi Iwai from comment #5)
> > For stable/master, usually stable tree brings the fix in a timely manner.
> 
> Thanks Takashi, in that case I'll let this wait for the next stable merge.
> As per comment#4, I think this ticket can be close. Reassigning to security
> team.

Thanks everyone for the investigations, closing
Comment 8 Marcus Meissner 2022-06-14 11:57:51 UTC 
is public.

via oss-security.

Hi all,

=*=*=*=*=*=*=*=*=   BUG DETAILS  =*=*=*=*=*=*=*=*=

The old inflight tracking for any file type that has io_uring_fops needs to
be assigned, otherwise
trivial circular references never get the ctx cleaned up and hence it'll
leak.

This issue was reported on May 31 and assigned CVE-2022-1976.

C repro is attached.


=*=*=*=*=*=*=*=*=     BACKTRACE     =*=*=*=*=*=*=*=*=

BUG: KASAN: use-after-free in __lock_acquire+0x385f/0x5840
root/opt/kernel/kernel/locking/lockdep.c:4899
Read of size 8 at addr ffff8880682db3b8 by task kworker/1:9/9642

CPU: 1 PID: 9642 Comm: kworker/1:9 Not tainted 5.18.0 #7
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.13.0-1ubuntu1.1 04/01/2014
Workqueue: events io_fallback_req_func
Call Trace:
 <TASK>
 __dump_stack root/opt/kernel/lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xcd/0x134 root/opt/kernel/lib/dump_stack.c:106
 print_address_description root/opt/kernel/mm/kasan/report.c:313 [inline]
 print_report.cold+0xe5/0x659 root/opt/kernel/mm/kasan/report.c:429
 kasan_report+0x8a/0x1b0 root/opt/kernel/mm/kasan/report.c:491
 __lock_acquire+0x385f/0x5840 root/opt/kernel/kernel/locking/lockdep.c:4899
 lock_acquire root/opt/kernel/kernel/locking/lockdep.c:5641 [inline]
 lock_acquire+0x1ab/0x520 root/opt/kernel/kernel/locking/lockdep.c:5606
 __raw_spin_lock_irq root/opt/kernel/./include/linux/spinlock_api_smp.h:119
[inline]
 _raw_spin_lock_irq+0x32/0x50 root/opt/kernel/kernel/locking/spinlock.c:170
 spin_lock_irq root/opt/kernel/./include/linux/spinlock.h:374 [inline]
 io_poll_remove_entry root/opt/kernel/fs/io_uring.c:6840 [inline]
 io_poll_remove_entries.part.0+0x15f/0x7d0
root/opt/kernel/fs/io_uring.c:6873
 io_poll_remove_entries root/opt/kernel/fs/io_uring.c:6853 [inline]
 io_poll_task_func+0x187/0x500 root/opt/kernel/fs/io_uring.c:6971
 io_fallback_req_func+0xfa/0x1b0 root/opt/kernel/fs/io_uring.c:1824
 process_one_work+0x9cc/0x1650 root/opt/kernel/kernel/workqueue.c:2289
 worker_thread+0x623/0x1070 root/opt/kernel/kernel/workqueue.c:2436
 kthread+0x2e9/0x3a0 root/opt/kernel/kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 root/opt/kernel/arch/x86/entry/entry_64.S:302
 </TASK>

Allocated by task 11840:
 kasan_save_stack+0x1e/0x40 root/opt/kernel/mm/kasan/common.c:38
 kasan_set_track root/opt/kernel/mm/kasan/common.c:45 [inline]
 set_alloc_info root/opt/kernel/mm/kasan/common.c:436 [inline]
 ____kasan_kmalloc root/opt/kernel/mm/kasan/common.c:515 [inline]
 ____kasan_kmalloc root/opt/kernel/mm/kasan/common.c:474 [inline]
 __kasan_kmalloc+0xa9/0xd0 root/opt/kernel/mm/kasan/common.c:524
 kasan_kmalloc root/opt/kernel/./include/linux/kasan.h:234 [inline]
 __kmalloc+0x1c9/0x4c0 root/opt/kernel/mm/slub.c:4414
 io_ring_ctx_alloc root/opt/kernel/fs/io_uring.c:1838 [inline]
 io_uring_create root/opt/kernel/fs/io_uring.c:12396 [inline]
 io_uring_setup.cold+0x176/0x2a59 root/opt/kernel/fs/io_uring.c:12535
 do_syscall_x64 root/opt/kernel/arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 root/opt/kernel/arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x46/0xb0

Freed by task 787:
 kasan_save_stack+0x1e/0x40 root/opt/kernel/mm/kasan/common.c:38
 kasan_set_track+0x21/0x30 root/opt/kernel/mm/kasan/common.c:45
 kasan_set_free_info+0x20/0x30 root/opt/kernel/mm/kasan/generic.c:370
 ____kasan_slab_free root/opt/kernel/mm/kasan/common.c:366 [inline]
 ____kasan_slab_free root/opt/kernel/mm/kasan/common.c:328 [inline]
 __kasan_slab_free+0x11d/0x190 root/opt/kernel/mm/kasan/common.c:374
 kasan_slab_free root/opt/kernel/./include/linux/kasan.h:200 [inline]
 slab_free_hook root/opt/kernel/mm/slub.c:1728 [inline]
 slab_free_freelist_hook root/opt/kernel/mm/slub.c:1754 [inline]
 slab_free root/opt/kernel/mm/slub.c:3510 [inline]
 kfree+0xec/0x4b0 root/opt/kernel/mm/slub.c:4552
 io_ring_ctx_free root/opt/kernel/fs/io_uring.c:11159 [inline]
 io_ring_exit_work+0xefb/0xf43 root/opt/kernel/fs/io_uring.c:11303
 process_one_work+0x9cc/0x1650 root/opt/kernel/kernel/workqueue.c:2289
 worker_thread+0x623/0x1070 root/opt/kernel/kernel/workqueue.c:2436
 kthread+0x2e9/0x3a0 root/opt/kernel/kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 root/opt/kernel/arch/x86/entry/entry_64.S:302

Last potentially related work creation:
 kasan_save_stack+0x1e/0x40 root/opt/kernel/mm/kasan/common.c:38
 __kasan_record_aux_stack+0xbe/0xd0 root/opt/kernel/mm/kasan/generic.c:348
 insert_work+0x4a/0x390 root/opt/kernel/kernel/workqueue.c:1358
 __queue_work+0x4dd/0x1140 root/opt/kernel/kernel/workqueue.c:1517
 queue_work_on+0xee/0x110 root/opt/kernel/kernel/workqueue.c:1545
 queue_work root/opt/kernel/./include/linux/workqueue.h:502 [inline]
 io_ring_ctx_wait_and_kill+0x2b6/0x2ec root/opt/kernel/fs/io_uring.c:11357
 io_uring_release+0x42/0x46 root/opt/kernel/fs/io_uring.c:11365
 __fput+0x277/0x9d0 root/opt/kernel/fs/file_table.c:317
 task_work_run+0xe0/0x1a0 root/opt/kernel/kernel/task_work.c:177
 exit_task_work root/opt/kernel/./include/linux/task_work.h:38 [inline]
 do_exit+0xb16/0x2dc0 root/opt/kernel/kernel/exit.c:795
 do_group_exit+0xd2/0x2f0 root/opt/kernel/kernel/exit.c:925
 get_signal+0x2847/0x2880 root/opt/kernel/kernel/signal.c:2864
 arch_do_signal_or_restart+0x81/0x1e30
root/opt/kernel/arch/x86/kernel/signal.c:869
 exit_to_user_mode_loop root/opt/kernel/kernel/entry/common.c:166 [inline]
 exit_to_user_mode_prepare+0x174/0x260
root/opt/kernel/kernel/entry/common.c:201
 __syscall_exit_to_user_mode_work root/opt/kernel/kernel/entry/common.c:283
[inline]
 syscall_exit_to_user_mode+0x19/0x60
root/opt/kernel/kernel/entry/common.c:294
 do_syscall_64+0x42/0xb0 root/opt/kernel/arch/x86/entry/common.c:86
 entry_SYSCALL_64_after_hwframe+0x46/0xb0

The buggy address belongs to the object at ffff8880682db000
 which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 952 bytes inside of
 2048-byte region [ffff8880682db000, ffff8880682db800)

The buggy address belongs to the physical page:
page:ffffea0001a0b600 refcount:1 mapcount:0 mapping:0000000000000000
index:0x0 pfn:0x682d8
head:ffffea0001a0b600 order:3 compound_mapcount:0 compound_pincount:0
flags: 0x4fff00000010200(slab|head|node=1|zone=1|lastcpupid=0x7ff)
raw: 04fff00000010200 ffffea00019e8e00 dead000000000002 ffff888010c42000
raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask
0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC),
pid 6529, tgid 6529 (syz-executor.2), ts 33495069085, free_ts 0
 set_page_owner root/opt/kernel/./include/linux/page_owner.h:31 [inline]
 post_alloc_hook root/opt/kernel/mm/page_alloc.c:2434 [inline]
 prep_new_page+0x297/0x330 root/opt/kernel/mm/page_alloc.c:2441
 get_page_from_freelist+0x210e/0x3ab0 root/opt/kernel/mm/page_alloc.c:4182
 __alloc_pages+0x30c/0x6e0 root/opt/kernel/mm/page_alloc.c:5408
 alloc_pages+0x119/0x250 root/opt/kernel/mm/mempolicy.c:2272
 alloc_slab_page root/opt/kernel/mm/slub.c:1799 [inline]
 allocate_slab root/opt/kernel/mm/slub.c:1944 [inline]
 new_slab+0x2a9/0x3f0 root/opt/kernel/mm/slub.c:2004
 ___slab_alloc+0xc62/0x1080 root/opt/kernel/mm/slub.c:3005
 __slab_alloc.isra.0+0x4d/0xa0 root/opt/kernel/mm/slub.c:3092
 slab_alloc_node root/opt/kernel/mm/slub.c:3183 [inline]
 slab_alloc root/opt/kernel/mm/slub.c:3225 [inline]
 kmem_cache_alloc_trace+0x383/0x460 root/opt/kernel/mm/slub.c:3256
 kmalloc root/opt/kernel/./include/linux/slab.h:581 [inline]
 kzalloc root/opt/kernel/./include/linux/slab.h:714 [inline]
 ipv6_add_dev root/opt/kernel/net/ipv6/addrconf.c:378 [inline]
 ipv6_add_dev+0xfe/0x12d0 root/opt/kernel/net/ipv6/addrconf.c:368
 addrconf_notify+0x614/0x1bb0 root/opt/kernel/net/ipv6/addrconf.c:3521
 notifier_call_chain+0xb5/0x200 root/opt/kernel/kernel/notifier.c:84
 call_netdevice_notifiers_info root/opt/kernel/net/core/dev.c:1938 [inline]
 call_netdevice_notifiers_info+0xb5/0x130
root/opt/kernel/net/core/dev.c:1923
 call_netdevice_notifiers_extack root/opt/kernel/net/core/dev.c:1976
[inline]
 call_netdevice_notifiers root/opt/kernel/net/core/dev.c:1990 [inline]
 register_netdevice+0xeb5/0x12b0 root/opt/kernel/net/core/dev.c:9994
 veth_newlink+0x405/0xa90 root/opt/kernel/drivers/net/veth.c:1764
 __rtnl_newlink+0xf52/0x1600 root/opt/kernel/net/core/rtnetlink.c:3483
 rtnl_newlink+0x64/0xa0 root/opt/kernel/net/core/rtnetlink.c:3531
page_owner free stack trace missing

Memory state around the buggy address:
 ffff8880682db280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8880682db300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8880682db380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                        ^
 ffff8880682db400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8880682db480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb


=*=*=*=*=*=*=*=*=     PATCH     =*=*=*=*=*=*=*=*=

The patch has been merged into the Linux kernel mainline and stable-master
tree.
It can be found here:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=9cae36a094e7e9d6e5fe8b6dcd4642138b3eb0c7


=*=*=*=*=*=*=*=*=     CREDIT     =*=*=*=*=*=*=*=*=

Zhixin Li from Zero-one Security <sundaywind2004@gmail.com>


Thanks.