[syzbot] [kernel?] upstream test error: KASAN: slab-use-after-free Read in reweight_entity

From: syzbot
Date: Fri Oct 20 2023 - 02:53:59 EST


Hello,

syzbot found the following issue on:

HEAD commit: 7cf4bea77ab6 Merge tag 'for-6.6-rc6-tag' of git://git.kern..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1550f7bd680000
kernel config: https://syzkaller.appspot.com/x/.config?x=d236817624b4822c
dashboard link: https://syzkaller.appspot.com/bug?extid=7147c5c87b744de4654c
compiler: aarch64-linux-gnu-gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm

Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/384ffdcca292/non_bootable_disk-7cf4bea7.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/60c2785d5bbf/vmlinux-7cf4bea7.xz
kernel image: https://storage.googleapis.com/syzbot-assets/e0283814b9e4/zImage-7cf4bea7.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+7147c5c87b744de4654c@xxxxxxxxxxxxxxxxxxxxxxxxx

==================================================================
BUG: KASAN: slab-use-after-free in __update_min_deadline kernel/sched/fair.c:805 [inline]
BUG: KASAN: slab-use-after-free in min_deadline_update kernel/sched/fair.c:819 [inline]
BUG: KASAN: slab-use-after-free in min_deadline_cb_propagate kernel/sched/fair.c:825 [inline]
BUG: KASAN: slab-use-after-free in reweight_entity+0x720/0x888 kernel/sched/fair.c:3660
Read of size 8 at addr ffff00000acc3830 by task syz-fuzzer/3099

CPU: 1 PID: 3099 Comm: syz-fuzzer Not tainted 6.6.0-rc6-syzkaller-00045-g7cf4bea77ab6 #0
Hardware name: linux,dummy-virt (DT)
Call trace:
dump_backtrace+0x9c/0x11c arch/arm64/kernel/stacktrace.c:233
show_stack+0x18/0x24 arch/arm64/kernel/stacktrace.c:240
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x74/0xd4 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:364 [inline]
print_report+0xd8/0x598 mm/kasan/report.c:475
kasan_report+0xc8/0x108 mm/kasan/report.c:588
__asan_report_load8_noabort+0x20/0x2c mm/kasan/report_generic.c:381
__update_min_deadline kernel/sched/fair.c:805 [inline]
min_deadline_update kernel/sched/fair.c:819 [inline]
min_deadline_cb_propagate kernel/sched/fair.c:825 [inline]
reweight_entity+0x720/0x888 kernel/sched/fair.c:3660
update_cfs_group+0x144/0x214 kernel/sched/fair.c:3826
entity_tick kernel/sched/fair.c:5317 [inline]
task_tick_fair+0xd8/0x8e0 kernel/sched/fair.c:12392
scheduler_tick+0x218/0x4f8 kernel/sched/core.c:5657
update_process_times+0x180/0x1f8 kernel/time/timer.c:2076
tick_sched_handle+0x68/0x12c kernel/time/tick-sched.c:254
tick_sched_timer+0x74/0x120 kernel/time/tick-sched.c:1492
__run_hrtimer kernel/time/hrtimer.c:1688 [inline]
__hrtimer_run_queues+0x580/0xb14 kernel/time/hrtimer.c:1752
hrtimer_interrupt+0x2a4/0x768 kernel/time/hrtimer.c:1814
timer_handler drivers/clocksource/arm_arch_timer.c:674 [inline]
arch_timer_handler_phys+0x40/0x6c drivers/clocksource/arm_arch_timer.c:692
handle_percpu_devid_irq+0x19c/0x30c kernel/irq/chip.c:942
generic_handle_irq_desc include/linux/irqdesc.h:161 [inline]
handle_irq_desc kernel/irq/irqdesc.c:672 [inline]
generic_handle_domain_irq+0x78/0xa4 kernel/irq/irqdesc.c:728
gic_handle_irq+0x54/0x188 drivers/irqchip/irq-gic.c:373
call_on_irq_stack+0x24/0x4c arch/arm64/kernel/entry.S:886
do_interrupt_handler+0x12c/0x150 arch/arm64/kernel/entry-common.c:276
el0_interrupt+0x68/0x1cc arch/arm64/kernel/entry-common.c:760
__el0_irq_handler_common+0x18/0x24 arch/arm64/kernel/entry-common.c:768
el0t_64_irq_handler+0x10/0x1c arch/arm64/kernel/entry-common.c:773
el0t_64_irq+0x190/0x194 arch/arm64/kernel/entry.S:596

Allocated by task 3099:
kasan_save_stack+0x3c/0x64 mm/kasan/common.c:45
kasan_set_track+0x2c/0x40 mm/kasan/common.c:52
kasan_save_alloc_info+0x24/0x34 mm/kasan/generic.c:511
__kasan_slab_alloc+0x8c/0x90 mm/kasan/common.c:328
kasan_slab_alloc include/linux/kasan.h:188 [inline]
slab_post_alloc_hook mm/slab.h:762 [inline]
slab_alloc_node mm/slub.c:3478 [inline]
kmem_cache_alloc_node+0x168/0x2d4 mm/slub.c:3523
alloc_task_struct_node kernel/fork.c:173 [inline]
dup_task_struct kernel/fork.c:1110 [inline]
copy_process+0x360/0x5520 kernel/fork.c:2327
kernel_clone+0x140/0x7e8 kernel/fork.c:2909
__do_sys_clone+0xb8/0xfc kernel/fork.c:3052
__se_sys_clone kernel/fork.c:3020 [inline]
__arm64_sys_clone+0xa4/0xfc kernel/fork.c:3020
__invoke_syscall arch/arm64/kernel/syscall.c:37 [inline]
invoke_syscall+0x6c/0x258 arch/arm64/kernel/syscall.c:51
el0_svc_common.constprop.0+0xac/0x230 arch/arm64/kernel/syscall.c:136
do_el0_svc+0x40/0x58 arch/arm64/kernel/syscall.c:155
el0_svc+0x58/0x140 arch/arm64/kernel/entry-common.c:678
el0t_64_sync_handler+0x100/0x12c arch/arm64/kernel/entry-common.c:696
el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:595

Freed by task 3099:
kasan_save_stack+0x3c/0x64 mm/kasan/common.c:45
kasan_set_track+0x2c/0x40 mm/kasan/common.c:52
kasan_save_free_info+0x38/0x5c mm/kasan/generic.c:522
____kasan_slab_free mm/kasan/common.c:236 [inline]
____kasan_slab_free+0x120/0x1b8 mm/kasan/common.c:200
__kasan_slab_free+0x18/0x24 mm/kasan/common.c:244
kasan_slab_free include/linux/kasan.h:164 [inline]
slab_free_hook mm/slub.c:1800 [inline]
slab_free_freelist_hook mm/slub.c:1826 [inline]
slab_free mm/slub.c:3809 [inline]
kmem_cache_free+0x14c/0x4e8 mm/slub.c:3831
free_task_struct kernel/fork.c:178 [inline]
free_task+0xd4/0x11c kernel/fork.c:627
__put_task_struct+0x1e4/0x27c kernel/fork.c:981
put_task_struct include/linux/sched/task.h:136 [inline]
put_task_struct include/linux/sched/task.h:123 [inline]
delayed_put_task_struct+0x138/0x314 kernel/exit.c:226
rcu_do_batch kernel/rcu/tree.c:2139 [inline]
rcu_core+0x950/0x1c3c kernel/rcu/tree.c:2403
rcu_core_si+0x10/0x1c kernel/rcu/tree.c:2420
__do_softirq+0x2e4/0xe1c kernel/softirq.c:553

Last potentially related work creation:
kasan_save_stack+0x3c/0x64 mm/kasan/common.c:45
__kasan_record_aux_stack+0xb4/0xe4 mm/kasan/generic.c:492
kasan_record_aux_stack_noalloc+0x14/0x20 mm/kasan/generic.c:502
__call_rcu_common.constprop.0+0x9c/0x8c0 kernel/rcu/tree.c:2653
call_rcu+0x10/0x1c kernel/rcu/tree.c:2767
put_task_struct_rcu_user kernel/exit.c:232 [inline]
put_task_struct_rcu_user kernel/exit.c:229 [inline]
release_task+0xbc8/0x1520 kernel/exit.c:282
wait_task_zombie kernel/exit.c:1210 [inline]
wait_consider_task+0xf14/0x2a5c kernel/exit.c:1437
do_wait_pid kernel/exit.c:1568 [inline]
do_wait+0x490/0x994 kernel/exit.c:1610
kernel_wait4+0xec/0x258 kernel/exit.c:1780
__do_sys_wait4+0xac/0x1e8 kernel/exit.c:1808
__se_sys_wait4 kernel/exit.c:1804 [inline]
__arm64_sys_wait4+0x88/0xc8 kernel/exit.c:1804
__invoke_syscall arch/arm64/kernel/syscall.c:37 [inline]
invoke_syscall+0x6c/0x258 arch/arm64/kernel/syscall.c:51
el0_svc_common.constprop.0+0xac/0x230 arch/arm64/kernel/syscall.c:136
do_el0_svc+0x40/0x58 arch/arm64/kernel/syscall.c:155
el0_svc+0x58/0x140 arch/arm64/kernel/entry-common.c:678
el0t_64_sync_handler+0x100/0x12c arch/arm64/kernel/entry-common.c:696
el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:595

Second to last potentially related work creation:
kasan_save_stack+0x3c/0x64 mm/kasan/common.c:45
__kasan_record_aux_stack+0xb4/0xe4 mm/kasan/generic.c:492
kasan_record_aux_stack+0x14/0x20 mm/kasan/generic.c:497
task_work_add+0x94/0x298 kernel/task_work.c:48
task_tick_mm_cid+0xfc/0x14c kernel/sched/core.c:12023
scheduler_tick+0x22c/0x4f8 kernel/sched/core.c:5662
update_process_times+0x180/0x1f8 kernel/time/timer.c:2076
tick_sched_handle+0x68/0x12c kernel/time/tick-sched.c:254
tick_sched_timer+0x74/0x120 kernel/time/tick-sched.c:1492
__run_hrtimer kernel/time/hrtimer.c:1688 [inline]
__hrtimer_run_queues+0x580/0xb14 kernel/time/hrtimer.c:1752
hrtimer_interrupt+0x2a4/0x768 kernel/time/hrtimer.c:1814
timer_handler drivers/clocksource/arm_arch_timer.c:674 [inline]
arch_timer_handler_phys+0x40/0x6c drivers/clocksource/arm_arch_timer.c:692
handle_percpu_devid_irq+0x19c/0x30c kernel/irq/chip.c:942
generic_handle_irq_desc include/linux/irqdesc.h:161 [inline]
handle_irq_desc kernel/irq/irqdesc.c:672 [inline]
generic_handle_domain_irq+0x78/0xa4 kernel/irq/irqdesc.c:728
gic_handle_irq+0x54/0x188 drivers/irqchip/irq-gic.c:373

The buggy address belongs to the object at ffff00000acc3780
which belongs to the cache task_struct of size 6848
The buggy address is located 176 bytes inside of
freed 6848-byte region [ffff00000acc3780, ffff00000acc5240)

The buggy address belongs to the physical page:
page:000000007280b60d refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4acc0
head:000000007280b60d order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
anon flags: 0x1ffc00000000840(slab|head|node=0|zone=0|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 01ffc00000000840 ffff000009c80dc0 0000000000000000 dead000000000001
raw: 0000000000000000 0000000080040004 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
ffff00000acc3700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff00000acc3780: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff00000acc3800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff00000acc3880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff00000acc3900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@xxxxxxxxxxxxxxxx.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup