syzbot


KASAN: slab-out-of-bounds Read in rds_cong_queue_updates (2)

Status: auto-closed as invalid on 2019/10/01 11:54
Subsystems: rds
[Documentation on labels]
Reported-by: syzbot+0570fef57a5e020bdc87@syzkaller.appspotmail.com
First crash: 2088d, last: 1820d
Discussions (2)
Title Replies (including bot) Last reply
Reminder: 4 open syzbot bugs in "net/rds" subsystem 1 (1) 2019/07/24 02:34
KASAN: slab-out-of-bounds Read in rds_cong_queue_updates (2) 1 (2) 2018/07/11 21:00
Similar bugs (1)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: slab-out-of-bounds Read in rds_cong_queue_updates rds 16908 2096d 2227d 0/26 closed as dup on 2018/03/19 06:29

Sample crash report:
==================================================================
BUG: KASAN: slab-out-of-bounds in atomic_read include/asm-generic/atomic-instrumented.h:26 [inline]
BUG: KASAN: slab-out-of-bounds in refcount_read include/linux/refcount.h:43 [inline]
BUG: KASAN: slab-out-of-bounds in check_net include/net/net_namespace.h:254 [inline]
BUG: KASAN: slab-out-of-bounds in rds_destroy_pending net/rds/rds.h:951 [inline]
BUG: KASAN: slab-out-of-bounds in rds_cong_queue_updates+0x209/0x4d0 net/rds/cong.c:229
Read of size 4 at addr ffff888081e24044 by task syz-executor.2/1803

CPU: 1 PID: 1803 Comm: syz-executor.2 Not tainted 5.1.0-rc3+ #51
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x172/0x1f0 lib/dump_stack.c:113
 print_address_description.cold+0x7c/0x20d mm/kasan/report.c:187
 kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317
 check_memory_region_inline mm/kasan/generic.c:185 [inline]
 check_memory_region+0x123/0x190 mm/kasan/generic.c:191
 kasan_check_read+0x11/0x20 mm/kasan/common.c:102
 atomic_read include/asm-generic/atomic-instrumented.h:26 [inline]
 refcount_read include/linux/refcount.h:43 [inline]
 check_net include/net/net_namespace.h:254 [inline]
 rds_destroy_pending net/rds/rds.h:951 [inline]
 rds_cong_queue_updates+0x209/0x4d0 net/rds/cong.c:229
 rds_recv_rcvbuf_delta.part.0+0x34f/0x3f0 net/rds/recv.c:118
 rds_recv_rcvbuf_delta net/rds/recv.c:379 [inline]
 rds_recv_incoming+0x789/0x11f0 net/rds/recv.c:379
 rds_loop_xmit+0xf3/0x2a0 net/rds/loop.c:96
 rds_send_xmit+0x1113/0x2560 net/rds/send.c:355
 rds_sendmsg+0x3017/0x3550 net/rds/send.c:1369
 sock_sendmsg_nosec net/socket.c:651 [inline]
 sock_sendmsg+0xdd/0x130 net/socket.c:661
 __sys_sendto+0x262/0x380 net/socket.c:1932
 __do_sys_sendto net/socket.c:1944 [inline]
 __se_sys_sendto net/socket.c:1940 [inline]
 __x64_sys_sendto+0xe1/0x1a0 net/socket.c:1940
 do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x4582b9
Code: ad b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007eff0a64dc78 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 0000000000000006 RCX: 00000000004582b9
RDX: 0000000000000480 RSI: 0000000020000a00 RDI: 0000000000000003
RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007eff0a64e6d4
R13: 00000000004c59aa R14: 00000000004d9cf8 R15: 00000000ffffffff

Allocated by task 28778:
 save_stack+0x45/0xd0 mm/kasan/common.c:75
 set_track mm/kasan/common.c:87 [inline]
 __kasan_kmalloc mm/kasan/common.c:497 [inline]
 __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:470
 kasan_slab_alloc+0xf/0x20 mm/kasan/common.c:505
 slab_post_alloc_hook mm/slab.h:437 [inline]
 slab_alloc_node mm/slab.c:3337 [inline]
 kmem_cache_alloc_node+0x131/0x710 mm/slab.c:3647
 alloc_task_struct_node kernel/fork.c:157 [inline]
 dup_task_struct kernel/fork.c:844 [inline]
 copy_process.part.0+0x1d08/0x7980 kernel/fork.c:1752
 copy_process kernel/fork.c:1709 [inline]
 _do_fork+0x257/0xfd0 kernel/fork.c:2226
 __do_sys_clone kernel/fork.c:2333 [inline]
 __se_sys_clone kernel/fork.c:2327 [inline]
 __x64_sys_clone+0xbf/0x150 kernel/fork.c:2327
 do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 28778:
 save_stack+0x45/0xd0 mm/kasan/common.c:75
 set_track mm/kasan/common.c:87 [inline]
 __kasan_slab_free+0x102/0x150 mm/kasan/common.c:459
 kasan_slab_free+0xe/0x10 mm/kasan/common.c:467
 __cache_free mm/slab.c:3500 [inline]
 kmem_cache_free+0x86/0x260 mm/slab.c:3766
 free_task_struct kernel/fork.c:162 [inline]
 free_task+0xdd/0x120 kernel/fork.c:457
 copy_process.part.0+0x1a3a/0x7980 kernel/fork.c:2158
 copy_process kernel/fork.c:1709 [inline]
 _do_fork+0x257/0xfd0 kernel/fork.c:2226
 __do_sys_clone kernel/fork.c:2333 [inline]
 __se_sys_clone kernel/fork.c:2327 [inline]
 __x64_sys_clone+0xbf/0x150 kernel/fork.c:2327
 do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at ffff888081e24200
 which belongs to the cache task_struct(33:syz1) of size 6080
The buggy address is located 444 bytes to the left of
 6080-byte region [ffff888081e24200, ffff888081e259c0)
The buggy address belongs to the page:
page:ffffea0002078900 count:1 mapcount:0 mapping:ffff88808a633cc0 index:0x0 compound_mapcount: 0
flags: 0x1fffc0000010200(slab|head)
raw: 01fffc0000010200 ffffea000285b608 ffffea000258a908 ffff88808a633cc0
raw: 0000000000000000 ffff888081e24200 0000000100000001 ffff888091414480
page dumped because: kasan: bad access detected
page->mem_cgroup:ffff888091414480

Memory state around the buggy address:
 ffff888081e23f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff888081e23f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888081e24000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                                           ^
 ffff888081e24080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff888081e24100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================

Crashes (434):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2019/04/04 11:53 upstream 145f47c7381d 6a475fff .config console log report ci-upstream-kasan-gce-selinux-root
2019/04/03 21:17 upstream 8ed86627f715 dfd3394d .config console log report ci-upstream-kasan-gce-smack-root
2019/03/26 13:13 upstream a3ac7917b730 55684ce1 .config console log report ci-upstream-kasan-gce
2019/03/25 19:41 upstream 8c2ffd917477 2c86e0a5 .config console log report ci-upstream-kasan-gce
2019/03/25 15:53 upstream 8c2ffd917477 2c86e0a5 .config console log report ci-upstream-kasan-gce
2019/03/24 23:12 upstream 1bdd3dbfff7a acbc5b7d .config console log report ci-upstream-kasan-gce
2019/03/24 05:27 upstream a5ed1e96cafd a2cef203 .config console log report ci-upstream-kasan-gce
2019/03/22 20:19 upstream fd1f297b794c 3361bde5 .config console log report ci-upstream-kasan-gce
2019/03/22 15:36 upstream 0939221e6468 dce6e62f .config console log report ci-upstream-kasan-gce
2019/03/22 12:33 upstream 0939221e6468 dce6e62f .config console log report ci-upstream-kasan-gce
2019/03/21 04:59 upstream 54c490164523 427ea487 .config console log report ci-upstream-kasan-gce-selinux-root
2019/03/19 00:40 upstream 9e98c678c2d6 46264c32 .config console log report ci-upstream-kasan-gce-selinux-root
2019/03/18 14:10 upstream 9e98c678c2d6 4656beca .config console log report ci-upstream-kasan-gce-selinux-root
2019/03/15 23:35 upstream 6c83d0d5eb62 bab43553 .config console log report ci-upstream-kasan-gce-selinux-root
2019/03/15 13:05 upstream f261c4e529da bab43553 .config console log report ci-upstream-kasan-gce-selinux-root
2019/03/11 21:53 upstream a089e4fed5c5 12365b99 .config console log report ci-upstream-kasan-gce-selinux-root
2019/03/06 22:06 upstream afe6fe7036c6 18215b8d .config console log report ci-upstream-kasan-gce-smack-root
2019/01/30 03:09 upstream 62967898789d aa432daf .config console log report ci-upstream-kasan-gce-root
2019/02/25 09:13 upstream 5908e6b738e3 a70141bf .config console log report ci-upstream-kasan-gce-386
2019/03/24 07:02 net-old c8248c6c1a3d a2cef203 .config console log report ci-upstream-net-this-kasan-gce
2019/03/19 13:52 net-old ffa91253739c e4549234 .config console log report ci-upstream-net-this-kasan-gce
2019/03/18 13:28 net-old ea239314fe42 4656beca .config console log report ci-upstream-net-this-kasan-gce
2018/07/11 04:20 net-old 0026129c8629 2e0e3130 .config console log report ci-upstream-net-this-kasan-gce
2019/04/02 05:57 net-next-old f5d547676ca0 a9ca43d4 .config console log report ci-upstream-net-kasan-gce
2019/04/01 14:32 net-next-old 6578229d4efb ccf2355a .config console log report ci-upstream-net-kasan-gce
2019/03/31 12:21 net-next-old 35f861e3c58e 0c624d4d .config console log report ci-upstream-net-kasan-gce
2019/03/31 05:46 net-next-old 35f861e3c58e 0c624d4d .config console log report ci-upstream-net-kasan-gce
2019/03/30 22:48 net-next-old 35f861e3c58e 0c624d4d .config console log report ci-upstream-net-kasan-gce
2019/03/30 20:28 net-next-old 35f861e3c58e c35ee0ea .config console log report ci-upstream-net-kasan-gce
2019/03/30 11:50 net-next-old 35f861e3c58e c35ee0ea .config console log report ci-upstream-net-kasan-gce
2019/03/30 09:32 net-next-old 35f861e3c58e c35ee0ea .config console log report ci-upstream-net-kasan-gce
2019/03/29 23:35 net-next-old 35f861e3c58e c35ee0ea .config console log report ci-upstream-net-kasan-gce
2019/03/29 20:37 net-next-old 113e59d09fbc 98c1bf1c .config console log report ci-upstream-net-kasan-gce
2019/03/28 19:44 net-next-old 356d71e00d27 14c58f8d .config console log report ci-upstream-net-kasan-gce
2019/03/28 10:44 net-next-old 356d71e00d27 f94f56fe .config console log report ci-upstream-net-kasan-gce
2019/03/27 01:30 net-next-old be67101fbf27 55684ce1 .config console log report ci-upstream-net-kasan-gce
2019/03/26 08:17 net-next-old 68cc2999f692 55684ce1 .config console log report ci-upstream-net-kasan-gce
2019/03/25 11:10 net-next-old 68cc2999f692 2c86e0a5 .config console log report ci-upstream-net-kasan-gce
2019/03/22 01:43 net-next-old 0b03a5ca8b14 dce6e62f .config console log report ci-upstream-net-kasan-gce
2019/03/16 20:24 net-next-old 3b319ee220a8 bab43553 .config console log report ci-upstream-net-kasan-gce
2019/03/16 18:46 net-next-old 3b319ee220a8 bab43553 .config console log report ci-upstream-net-kasan-gce
2019/03/16 14:09 net-next-old 3b319ee220a8 bab43553 .config console log report ci-upstream-net-kasan-gce
2019/03/16 12:28 net-next-old 3b319ee220a8 bab43553 .config console log report ci-upstream-net-kasan-gce
2019/03/16 06:38 net-next-old 3b319ee220a8 bab43553 .config console log report ci-upstream-net-kasan-gce
2019/03/15 21:06 net-next-old 3b319ee220a8 bab43553 .config console log report ci-upstream-net-kasan-gce
2019/03/15 19:27 net-next-old 3b319ee220a8 bab43553 .config console log report ci-upstream-net-kasan-gce
2019/03/15 05:59 net-next-old 3b319ee220a8 d72db19b .config console log report ci-upstream-net-kasan-gce
2019/03/14 18:08 net-next-old d9862cfbe209 d09a902e .config console log report ci-upstream-net-kasan-gce
2019/03/12 11:33 net-next-old d9862cfbe209 12365b99 .config console log report ci-upstream-net-kasan-gce
2019/03/11 16:24 net-next-old d9862cfbe209 12365b99 .config console log report ci-upstream-net-kasan-gce
2019/02/16 10:38 linux-next 7a92eb7cc1dc f42dee6d .config console log report ci-upstream-linux-next-kasan-gce-root
* Struck through repros no longer work on HEAD.