syzbot


KASAN: use-after-free Write in validate_chain

Status: fixed on 2019/08/27 17:15
Subsystems: kernel
[Documentation on labels]
Reported-by: syzbot+55c548ad445cef6063ab@syzkaller.appspotmail.com
Fix commit: 95fa145479fb bpf: sockmap/tls, close can race with map free
First crash: 1822d, last: 1811d
Cause bisection: introduced by (bisect log) :
commit e9db4ef6bf4ca9894bb324c76e01b8f1a16b2650
Author: John Fastabend <john.fastabend@gmail.com>
Date: Sat Jun 30 13:17:47 2018 +0000

  bpf: sockhash fix omitted bucket lock in sock_close

Crash: KASAN: use-after-free Write in bpf_tcp_close (log)
Repro: syz .config
  
Discussions (3)
Title Replies (including bot) Last reply
Reminder: 36 open syzbot bugs in "net/bpf" subsystem 1 (1) 2019/07/03 06:01
KASAN: use-after-free Write in validate_chain 0 (2) 2019/06/26 10:04
Reminder: 30 open syzbot bugs in "net/bpf" subsystem 1 (1) 2019/06/24 05:01

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in check_prev_add kernel/locking/lockdep.c:2298 [inline]
BUG: KASAN: use-after-free in check_prevs_add kernel/locking/lockdep.c:2418 [inline]
BUG: KASAN: use-after-free in validate_chain+0x1a35/0x84f0 kernel/locking/lockdep.c:2800
Write of size 8 at addr ffff88808aad9010 by task syz-executor.5/8294

CPU: 1 PID: 8294 Comm: syz-executor.5 Not tainted 5.2.0-rc7 #12
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:

Allocated by task 1172321806:
(stack is not available)

Freed by task 2287698888:
BUG: unable to handle page fault for address: ffffffff8adeb628
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 8a70067 P4D 8a70067 PUD 8a71063 PMD 0 
Thread overran stack, or stack corrupted
Oops: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 8294 Comm: syz-executor.5 Not tainted 5.2.0-rc7 #12
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:stack_depot_fetch+0x7/0x30 lib/stackdepot.c:201
Code: 44 00 00 31 c0 48 83 c4 28 5b 41 5c 41 5d 41 5e 41 5f 5d c3 e8 6a b2 fc fd 0f 0b e8 63 b2 fc fd 0f 0b 90 89 f8 25 ff ff 1f 00 <48> 8b 04 c5 30 b6 de 89 c1 ef 11 81 e7 f0 3f 00 00 48 8d 4c 38 18
RSP: 0018:ffff88808aad8a80 EFLAGS: 00010006
RAX: 00000000001fffff RBX: ffffea00022ab600 RCX: 1d0ba4c0d75a0f00
RDX: 0000000000000000 RSI: ffff88808aad8a88 RDI: 00000000ffffffff
RBP: ffff88808aad8ac0 R08: ffffffff817fec39 R09: ffffed1015d644c6
R10: ffffed1015d644c6 R11: 1ffff11015d644c5 R12: ffff8880aa400ac0
R13: ffff88808aad91c0 R14: ffff88808aad9010 R15: ffff88808aad8dc0
FS:  0000555556ae5940(0000) GS:ffff8880aeb00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffff8adeb628 CR3: 00000000a9bd6000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
Modules linked in:
CR2: ffffffff8adeb628
---[ end trace e93a18ba03f9a207 ]---
RIP: 0010:stack_depot_fetch+0x7/0x30 lib/stackdepot.c:201
Code: 44 00 00 31 c0 48 83 c4 28 5b 41 5c 41 5d 41 5e 41 5f 5d c3 e8 6a b2 fc fd 0f 0b e8 63 b2 fc fd 0f 0b 90 89 f8 25 ff ff 1f 00 <48> 8b 04 c5 30 b6 de 89 c1 ef 11 81 e7 f0 3f 00 00 48 8d 4c 38 18
RSP: 0018:ffff88808aad8a80 EFLAGS: 00010006
RAX: 00000000001fffff RBX: ffffea00022ab600 RCX: 1d0ba4c0d75a0f00
RDX: 0000000000000000 RSI: ffff88808aad8a88 RDI: 00000000ffffffff
RBP: ffff88808aad8ac0 R08: ffffffff817fec39 R09: ffffed1015d644c6
R10: ffffed1015d644c6 R11: 1ffff11015d644c5 R12: ffff8880aa400ac0
R13: ffff88808aad91c0 R14: ffff88808aad9010 R15: ffff88808aad8dc0
FS:  0000555556ae5940(0000) GS:ffff8880aeb00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffff8adeb628 CR3: 00000000a9bd6000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

Crashes (3):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2019/07/01 22:29 upstream 6fbc7275c7a9 907bf746 .config console log report syz ci-upstream-kasan-gce-smack-root
2019/06/26 09:15 upstream 249155c20f9b 0a8d1a96 .config console log report syz ci-upstream-kasan-gce-smack-root
2019/06/21 00:29 upstream abf02e2964b3 34bf9440 .config console log report syz ci-upstream-kasan-gce-smack-root
* Struck through repros no longer work on HEAD.