syzbot


KASAN: null-ptr-deref Write in queue_work_on

Status: fixed on 2020/02/18 14:31
Subsystems: can
[Documentation on labels]
Reported-by: syzbot+017e491ae13c0068598a@syzkaller.appspotmail.com
Fix commit: 0ace17d56824 can, slip: Protect tty->disc_data in write_wakeup and close with RCU
First crash: 1937d, last: 1936d
Cause bisection: the cause commit could be any of (bisect log):
  569dbb88e80d Linux 4.13
   that is not the commit
  
Fix bisection: failed (error log, bisect log)
  
Discussions (9)
Title Replies (including bot) Last reply
[PATCH 3.16 000/245] 3.16.83-rc1 review 260 (260) 2020/04/24 17:54
[PATCH 4.19 00/92] 4.19.100-stable review 98 (98) 2020/01/31 13:57
[PATCH 4.9 000/271] 4.9.212-stable review 283 (283) 2020/01/29 22:35
[PATCH 5.4 000/104] 5.4.16-stable review 113 (113) 2020/01/29 15:36
[PATCH 4.14 00/46] 4.14.169-stable review 51 (51) 2020/01/29 14:42
[PATCH 4.4 000/183] 4.4.212-stable review 190 (190) 2020/01/29 13:12
[PATCH v3] can, slip: Protect tty->disc_data in write_wakeup and close with RCU 2 (2) 2020/01/22 19:32
[PATCH] can, slip: Protect tty->disc_data access with RCU 3 (3) 2020/01/16 10:38
KASAN: null-ptr-deref Write in queue_work_on 0 (1) 2019/08/21 22:38

Sample crash report:
==================================================================
BUG: KASAN: null-ptr-deref in test_and_set_bit include/asm-generic/bitops-instrumented.h:143 [inline]
BUG: KASAN: null-ptr-deref in queue_work_on+0xa6/0x1b0 kernel/workqueue.c:1517
Write of size 8 at addr 0000000000000050 by task syz-executor618/8958

CPU: 1 PID: 8958 Comm: syz-executor618 Not tainted 5.3.0-rc4+ #79
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1d8/0x2f8 lib/dump_stack.c:113
 __kasan_report+0x169/0x1c0 mm/kasan/report.c:486
 kasan_report+0x26/0x50 mm/kasan/common.c:612
 check_memory_region_inline mm/kasan/generic.c:182 [inline]
 check_memory_region+0x2cf/0x2e0 mm/kasan/generic.c:192
 __kasan_check_write+0x14/0x20 mm/kasan/common.c:98
 test_and_set_bit include/asm-generic/bitops-instrumented.h:143 [inline]
 queue_work_on+0xa6/0x1b0 kernel/workqueue.c:1517
 queue_work include/linux/workqueue.h:490 [inline]
 schedule_work include/linux/workqueue.h:548 [inline]
 slcan_write_wakeup+0x6f/0x80 drivers/net/can/slcan.c:348
 tty_wakeup+0xb7/0x100 drivers/tty/tty_io.c:535
 pty_unthrottle+0x3c/0x60 drivers/tty/pty.c:95
 tty_unthrottle drivers/tty/tty_ioctl.c:139 [inline]
 __tty_perform_flush drivers/tty/tty_ioctl.c:861 [inline]
 n_tty_ioctl_helper+0x47c/0x670 drivers/tty/tty_ioctl.c:937
 n_tty_ioctl+0x176/0x330 drivers/tty/n_tty.c:2466
 tty_ioctl+0xf83/0x15c0 drivers/tty/tty_io.c:2666
 do_vfs_ioctl+0x744/0x1730 fs/ioctl.c:46
 ksys_ioctl fs/ioctl.c:713 [inline]
 __do_sys_ioctl fs/ioctl.c:720 [inline]
 __se_sys_ioctl fs/ioctl.c:718 [inline]
 __x64_sys_ioctl+0xe3/0x120 fs/ioctl.c:718
 do_syscall_64+0xfe/0x140 arch/x86/entry/common.c:296
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x446859
Code: e8 9c b4 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb 07 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fafebc91d18 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00000000006dbc38 RCX: 0000000000446859
RDX: 0000000000000000 RSI: 000000000000540b RDI: 0000000000000003
RBP: 00000000006dbc30 R08: 00007fafebc92700 R09: 0000000000000000
R10: 00007fafebc92700 R11: 0000000000000246 R12: 00000000006dbc3c
R13: 00007ffd75b65dcf R14: 00007fafebc929c0 R15: 20c49ba5e353f7cf
==================================================================

Crashes (5):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2019/08/18 00:07 upstream 6e625a1a3f47 55bf8926 .config console log report syz C ci-upstream-kasan-gce-smack-root
2019/08/17 23:02 upstream 6e625a1a3f47 55bf8926 .config console log report syz C ci-upstream-kasan-gce-selinux-root
2019/08/17 22:25 upstream 6e625a1a3f47 55bf8926 .config console log report syz C ci-upstream-kasan-gce-root
2019/08/18 03:16 linux-next 0c3d3d648b3e 55bf8926 .config console log report syz C ci-upstream-linux-next-kasan-gce-root
2019/08/17 21:58 upstream 6e625a1a3f47 55bf8926 .config console log report ci-upstream-kasan-gce-root
* Struck through repros no longer work on HEAD.