syzbot


WARNING: held lock freed!

Status: fixed on 2018/01/22 13:19
Subsystems: sctp
[Documentation on labels]
Reported-by: syzbot+ac6ea7baa4432811eb50@syzkaller.appspotmail.com
Fix commit: a0ff660058b8 sctp: return error if the asoc has been peeled off in sctp_wait_for_sndbuf
First crash: 2466d, last: 2455d
Discussions (8)
Title Replies (including bot) Last reply
[PATCH 3.16 000/254] 3.16.55-rc1 review 261 (261) 2018/03/03 15:48
[PATCH 3.2 000/140] 3.2.100-rc1 review 142 (142) 2018/02/28 16:57
[PATCH 4.9 00/66] 4.9.79-stable review 72 (72) 2018/02/28 15:46
[PATCH 4.4 00/74] 4.4.114-stable review 90 (90) 2018/02/19 20:06
[PATCH 3.18 00/52] 3.18.93-stable review 62 (62) 2018/01/31 08:52
[PATCH 4.14 00/71] 4.14.16-stable review 77 (77) 2018/01/30 14:52
[PATCH net] sctp: return error if the asoc has been peeled off in sctp_wait_for_sndbuf 9 (9) 2018/01/16 19:25
WARNING: held lock freed! 3 (4) 2018/01/09 05:47
Similar bugs (1)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream WARNING: held lock freed! (2) hams C done 1 1923d 1919d 12/28 fixed on 2019/08/27 17:15

Sample crash report:
=========================
WARNING: held lock freed!
4.15.0-rc7+ #261 Not tainted
-------------------------
syzkaller113545/3666 is freeing memory 00000000c92133c6-0000000092cb75b3, with a lock still held there!
 (sk_lock-AF_INET6){+.+.}, at: [<00000000b1bf268b>] lock_sock include/net/sock.h:1461 [inline]
 (sk_lock-AF_INET6){+.+.}, at: [<00000000b1bf268b>] sctp_wait_for_sndbuf+0x509/0x8d0 net/sctp/socket.c:8056
1 lock held by syzkaller113545/3666:
 #0:  (sk_lock-AF_INET6){+.+.}, at: [<00000000b1bf268b>] lock_sock include/net/sock.h:1461 [inline]
 #0:  (sk_lock-AF_INET6){+.+.}, at: [<00000000b1bf268b>] sctp_wait_for_sndbuf+0x509/0x8d0 net/sctp/socket.c:8056

stack backtrace:
CPU: 0 PID: 3666 Comm: syzkaller113545 Not tainted 4.15.0-rc7+ #261
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x194/0x257 lib/dump_stack.c:53
 print_freed_lock_bug kernel/locking/lockdep.c:4379 [inline]
 debug_check_no_locks_freed+0x32f/0x3c0 kernel/locking/lockdep.c:4412
 kmem_cache_free+0x68/0x2a0 mm/slab.c:3743
 sk_prot_free net/core/sock.c:1504 [inline]
 __sk_destruct+0x622/0x910 net/core/sock.c:1585
 sk_destruct+0x47/0x80 net/core/sock.c:1593
 __sk_free+0x57/0x230 net/core/sock.c:1601
 sk_free+0x2a/0x40 net/core/sock.c:1612
 sock_put include/net/sock.h:1656 [inline]
 sctp_association_destroy net/sctp/associola.c:424 [inline]
 sctp_association_put+0x14c/0x2f0 net/sctp/associola.c:883
 sctp_wait_for_sndbuf+0x673/0x8d0 net/sctp/socket.c:8067
 sctp_sendmsg+0x277d/0x3360 net/sctp/socket.c:1974
 inet_sendmsg+0x11f/0x5e0 net/ipv4/af_inet.c:763
 sock_sendmsg_nosec net/socket.c:638 [inline]
 sock_sendmsg+0xca/0x110 net/socket.c:648
 SYSC_sendto+0x361/0x5c0 net/socket.c:1729
 SyS_sendto+0x40/0x50 net/socket.c:1697
 entry_SYSCALL_64_fastpath+0x23/0x9a
RIP: 0033:0x4457e9
RSP: 002b:00007fe7bf12bda8 EFLAGS: 00000216 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 00000000006dac6c RCX: 00000000004457e9
RDX: 0000000000000001 RSI: 000000002010bf14 RDI: 0000000000000004
RBP: 00000000006dac68 R08: 00000000204d9000 R09: 000000000000001c
R10: 0000000000000000 R11: 0000000000000216 R12: 0000000000000000
R13: 00007ffc3c438f0f R14: 00007fe7bf12c9c0 R15: 0000000000000001
==================================================================
BUG: KASAN: use-after-free in debug_spin_lock_before kernel/locking/spinlock_debug.c:83 [inline]
BUG: KASAN: use-after-free in do_raw_spin_lock+0x1e0/0x220 kernel/locking/spinlock_debug.c:112
Read of size 4 at addr ffff8801bbbae08c by task syzkaller113545/3666

CPU: 0 PID: 3666 Comm: syzkaller113545 Not tainted 4.15.0-rc7+ #261
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x194/0x257 lib/dump_stack.c:53
 print_address_description+0x73/0x250 mm/kasan/report.c:252
 kasan_report_error mm/kasan/report.c:351 [inline]
 kasan_report+0x25b/0x340 mm/kasan/report.c:409
 __asan_report_load4_noabort+0x14/0x20 mm/kasan/report.c:429
 debug_spin_lock_before kernel/locking/spinlock_debug.c:83 [inline]
 do_raw_spin_lock+0x1e0/0x220 kernel/locking/spinlock_debug.c:112
 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:136 [inline]
 _raw_spin_lock_bh+0x39/0x40 kernel/locking/spinlock.c:168
 spin_lock_bh include/linux/spinlock.h:315 [inline]
 release_sock+0x74/0x2a0 net/core/sock.c:2777
 sctp_sendmsg+0x2c61/0x3360 net/sctp/socket.c:2058
 inet_sendmsg+0x11f/0x5e0 net/ipv4/af_inet.c:763
 sock_sendmsg_nosec net/socket.c:638 [inline]
 sock_sendmsg+0xca/0x110 net/socket.c:648
 SYSC_sendto+0x361/0x5c0 net/socket.c:1729
 SyS_sendto+0x40/0x50 net/socket.c:1697
 entry_SYSCALL_64_fastpath+0x23/0x9a
RIP: 0033:0x4457e9
RSP: 002b:00007fe7bf12bda8 EFLAGS: 00000216 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 00000000006dac6c RCX: 00000000004457e9
RDX: 0000000000000001 RSI: 000000002010bf14 RDI: 0000000000000004
RBP: 00000000006dac68 R08: 00000000204d9000 R09: 000000000000001c
R10: 0000000000000000 R11: 0000000000000216 R12: 0000000000000000
R13: 00007ffc3c438f0f R14: 00007fe7bf12c9c0 R15: 0000000000000001

Allocated by task 3671:
 save_stack+0x43/0xd0 mm/kasan/kasan.c:447
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551
 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:489
 kmem_cache_alloc+0x12e/0x760 mm/slab.c:3544
 sk_prot_alloc+0x65/0x2a0 net/core/sock.c:1463
 sk_alloc+0x105/0x1410 net/core/sock.c:1523
 sctp_v6_create_accept_sk+0x15a/0x9b0 net/sctp/ipv6.c:667
 sctp_accept+0x5c4/0x970 net/sctp/socket.c:4324
 inet_accept+0x12c/0x930 net/ipv4/af_inet.c:698
 SYSC_accept4+0x38d/0x870 net/socket.c:1553
 SyS_accept4 net/socket.c:1504 [inline]
 SYSC_accept net/socket.c:1587 [inline]
 SyS_accept+0x26/0x30 net/socket.c:1584
 entry_SYSCALL_64_fastpath+0x23/0x9a

Freed by task 3666:
 save_stack+0x43/0xd0 mm/kasan/kasan.c:447
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_slab_free+0x71/0xc0 mm/kasan/kasan.c:524
 __cache_free mm/slab.c:3488 [inline]
 kmem_cache_free+0x83/0x2a0 mm/slab.c:3746
 sk_prot_free net/core/sock.c:1504 [inline]
 __sk_destruct+0x622/0x910 net/core/sock.c:1585
 sk_destruct+0x47/0x80 net/core/sock.c:1593
 __sk_free+0x57/0x230 net/core/sock.c:1601
 sk_free+0x2a/0x40 net/core/sock.c:1612
 sock_put include/net/sock.h:1656 [inline]
 sctp_association_destroy net/sctp/associola.c:424 [inline]
 sctp_association_put+0x14c/0x2f0 net/sctp/associola.c:883
 sctp_wait_for_sndbuf+0x673/0x8d0 net/sctp/socket.c:8067
 sctp_sendmsg+0x277d/0x3360 net/sctp/socket.c:1974
 inet_sendmsg+0x11f/0x5e0 net/ipv4/af_inet.c:763
 sock_sendmsg_nosec net/socket.c:638 [inline]
 sock_sendmsg+0xca/0x110 net/socket.c:648
 SYSC_sendto+0x361/0x5c0 net/socket.c:1729
 SyS_sendto+0x40/0x50 net/socket.c:1697
 entry_SYSCALL_64_fastpath+0x23/0x9a

The buggy address belongs to the object at ffff8801bbbae000
 which belongs to the cache SCTPv6 of size 1888
The buggy address is located 140 bytes inside of
 1888-byte region [ffff8801bbbae000, ffff8801bbbae760)
The buggy address belongs to the page:
page:ffffea0006eeeb80 count:1 mapcount:0 mapping:ffff8801bbbae000 index:0x0
flags: 0x2fffc0000000100(slab)
raw: 02fffc0000000100 ffff8801bbbae000 0000000000000000 0000000100000002
raw: ffffea00074b04e0 ffffea0007643460 ffff8801d2c10b40 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8801bbbadf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8801bbbae000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8801bbbae080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                      ^
 ffff8801bbbae100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8801bbbae180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (497):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2018/01/14 12:08 upstream 2c1cfa499018 c9e7aeae .config console log report syz C ci-upstream-kasan-gce
2018/01/14 11:33 upstream 2c1cfa499018 c9e7aeae .config console log report syz C ci-upstream-kasan-gce
2018/01/14 06:12 upstream 2c1cfa499018 c9e7aeae .config console log report syz C ci-upstream-kasan-gce
2018/01/14 05:37 upstream 2c1cfa499018 c9e7aeae .config console log report syz C ci-upstream-kasan-gce
2018/01/14 00:56 upstream c92a9a461dff c9e7aeae .config console log report syz C ci-upstream-kasan-gce
2018/01/13 21:41 upstream c92a9a461dff c9e7aeae .config console log report syz C ci-upstream-kasan-gce
2018/01/11 06:10 upstream 5f615b97cdea 02a19b64 .config console log report syz C ci-upstream-kasan-gce
2018/01/11 05:20 upstream 5f615b97cdea 02a19b64 .config console log report syz C ci-upstream-kasan-gce
2018/01/11 05:07 upstream 5f615b97cdea 02a19b64 .config console log report syz C ci-upstream-kasan-gce
2018/01/11 01:21 upstream 5f615b97cdea 02a19b64 .config console log report syz C ci-upstream-kasan-gce
2018/01/11 00:09 upstream 5f615b97cdea 02a19b64 .config console log report syz C ci-upstream-kasan-gce
2018/01/07 17:12 upstream 3219e264b984 19c05fff .config console log report syz C ci-upstream-kasan-gce
2018/01/07 16:57 upstream 3219e264b984 19c05fff .config console log report syz C ci-upstream-kasan-gce
2018/01/07 16:40 upstream 3219e264b984 19c05fff .config console log report syz C ci-upstream-kasan-gce
2018/01/14 06:11 upstream 2c1cfa499018 c9e7aeae .config console log report syz C ci-upstream-kasan-gce-386
2018/01/14 03:18 upstream 2c1cfa499018 c9e7aeae .config console log report syz C ci-upstream-kasan-gce-386
2018/01/14 00:56 upstream c92a9a461dff c9e7aeae .config console log report syz C ci-upstream-kasan-gce-386
2018/01/14 12:18 net-next-old 6bd39bc3da0f c9e7aeae .config console log report syz C ci-upstream-net-kasan-gce
2018/01/14 11:28 net-next-old 6bd39bc3da0f c9e7aeae .config console log report syz C ci-upstream-net-kasan-gce
2018/01/14 05:59 net-next-old 6bd39bc3da0f c9e7aeae .config console log report syz C ci-upstream-net-kasan-gce
2018/01/14 00:47 net-next-old 6bd39bc3da0f c9e7aeae .config console log report syz C ci-upstream-net-kasan-gce
2018/01/13 20:30 net-next-old 6bd39bc3da0f c9e7aeae .config console log report syz C ci-upstream-net-kasan-gce
2018/01/11 06:10 net-next-old e2b3b35eb989 02a19b64 .config console log report syz C ci-upstream-net-kasan-gce
2018/01/11 05:21 net-next-old e2b3b35eb989 02a19b64 .config console log report syz C ci-upstream-net-kasan-gce
2018/01/11 05:05 net-next-old e2b3b35eb989 02a19b64 .config console log report syz C ci-upstream-net-kasan-gce
2018/01/11 01:20 net-next-old e2b3b35eb989 02a19b64 .config console log report syz C ci-upstream-net-kasan-gce
2018/01/11 00:08 net-next-old e2b3b35eb989 02a19b64 .config console log report syz C ci-upstream-net-kasan-gce
2018/01/07 17:19 net-next-old d0adb51edb73 19c05fff .config console log report syz C ci-upstream-net-kasan-gce
2018/01/07 17:04 net-next-old d0adb51edb73 19c05fff .config console log report syz C ci-upstream-net-kasan-gce
2018/01/07 16:48 net-next-old d0adb51edb73 19c05fff .config console log report syz C ci-upstream-net-kasan-gce
2018/01/14 12:17 mmots ce3c209f6733 c9e7aeae .config console log report syz C ci-upstream-mmots-kasan-gce
2018/01/14 12:05 linux-next 3e53c7415294 c9e7aeae .config console log report syz C ci-upstream-next-kasan-gce
2018/01/14 11:34 mmots ce3c209f6733 c9e7aeae .config console log report syz C ci-upstream-mmots-kasan-gce
2018/01/14 11:29 linux-next 3e53c7415294 c9e7aeae .config console log report syz C ci-upstream-next-kasan-gce
2018/01/14 08:11 linux-next 3e53c7415294 c9e7aeae .config console log report syz C ci-upstream-next-kasan-gce
2018/01/14 07:21 linux-next 3e53c7415294 c9e7aeae .config console log report syz C ci-upstream-next-kasan-gce
2018/01/14 06:55 linux-next 3e53c7415294 c9e7aeae .config console log report syz C ci-upstream-next-kasan-gce
2018/01/14 06:44 mmots ce3c209f6733 c9e7aeae .config console log report syz C ci-upstream-mmots-kasan-gce
2018/01/14 06:18 mmots ce3c209f6733 c9e7aeae .config console log report syz C ci-upstream-mmots-kasan-gce
2018/01/14 05:41 mmots ce3c209f6733 c9e7aeae .config console log report syz C ci-upstream-mmots-kasan-gce
2018/01/14 03:25 mmots ce3c209f6733 c9e7aeae .config console log report syz C ci-upstream-mmots-kasan-gce
2018/01/14 02:47 linux-next 3e53c7415294 c9e7aeae .config console log report syz C ci-upstream-next-kasan-gce
2018/01/14 01:04 mmots ce3c209f6733 c9e7aeae .config console log report syz C ci-upstream-mmots-kasan-gce
2018/01/14 00:25 linux-next 3e53c7415294 c9e7aeae .config console log report syz C ci-upstream-next-kasan-gce
2018/01/13 21:36 mmots ce3c209f6733 c9e7aeae .config console log report syz C ci-upstream-mmots-kasan-gce
2018/01/11 06:10 mmots 4147d50978df 02a19b64 .config console log report syz C ci-upstream-mmots-kasan-gce
2018/01/11 06:10 linux-next b4464bcab38d 02a19b64 .config console log report syz C ci-upstream-next-kasan-gce
2018/01/11 05:22 linux-next b4464bcab38d 02a19b64 .config console log report syz C ci-upstream-next-kasan-gce
2018/01/11 05:19 mmots 4147d50978df 02a19b64 .config console log report syz C ci-upstream-mmots-kasan-gce
2018/01/11 05:06 linux-next b4464bcab38d 02a19b64 .config console log report syz C ci-upstream-next-kasan-gce
2018/01/11 05:05 mmots 4147d50978df 02a19b64 .config console log report syz C ci-upstream-mmots-kasan-gce
2018/01/11 01:22 linux-next b4464bcab38d 02a19b64 .config console log report syz C ci-upstream-next-kasan-gce
2018/01/11 00:08 mmots 69eed2290e1d 02a19b64 .config console log report syz C ci-upstream-mmots-kasan-gce
2018/01/07 18:25 mmots 69eed2290e1d 19c05fff .config console log report syz C ci-upstream-mmots-kasan-gce
2018/01/07 18:09 mmots 69eed2290e1d 19c05fff .config console log report syz C ci-upstream-mmots-kasan-gce
2018/01/07 17:54 mmots 69eed2290e1d 19c05fff .config console log report syz C ci-upstream-mmots-kasan-gce
2018/01/07 17:22 linux-next 990b6a07d18c 19c05fff .config console log report syz C ci-upstream-next-kasan-gce
2018/01/07 17:07 linux-next 990b6a07d18c 19c05fff .config console log report syz C ci-upstream-next-kasan-gce
2018/01/07 16:53 linux-next 990b6a07d18c 19c05fff .config console log report syz C ci-upstream-next-kasan-gce
2018/01/16 00:21 upstream a8750ddca918 e17f4a5d .config console log report ci-upstream-kasan-gce
2018/01/17 06:46 net-next-old e02f08a07098 a46e5318 .config console log report ci-upstream-net-kasan-gce
2018/01/17 06:15 net-next-old e02f08a07098 a46e5318 .config console log report ci-upstream-net-kasan-gce
2018/01/17 03:56 net-next-old e02f08a07098 a46e5318 .config console log report ci-upstream-net-kasan-gce
2018/01/17 02:17 net-next-old e02f08a07098 a46e5318 .config console log report ci-upstream-net-kasan-gce
2018/01/17 01:20 net-next-old e02f08a07098 a46e5318 .config console log report ci-upstream-net-kasan-gce
2018/01/17 00:27 net-next-old e02f08a07098 a46e5318 .config console log report ci-upstream-net-kasan-gce
2018/01/17 00:16 net-next-old e02f08a07098 a46e5318 .config console log report ci-upstream-net-kasan-gce
2018/01/16 18:38 net-next-old 79d891c1bbb6 4198e588 .config console log report ci-upstream-net-kasan-gce
2018/01/16 17:52 net-next-old 79d891c1bbb6 4198e588 .config console log report ci-upstream-net-kasan-gce
2018/01/16 15:26 net-next-old 79d891c1bbb6 4198e588 .config console log report ci-upstream-net-kasan-gce
2018/01/16 15:12 net-next-old 79d891c1bbb6 4198e588 .config console log report ci-upstream-net-kasan-gce
2018/01/16 10:08 net-next-old 79d891c1bbb6 4198e588 .config console log report ci-upstream-net-kasan-gce
2018/01/16 09:33 net-next-old 79d891c1bbb6 4198e588 .config console log report ci-upstream-net-kasan-gce
2018/01/16 09:30 net-next-old 79d891c1bbb6 4198e588 .config console log report ci-upstream-net-kasan-gce
2018/01/16 06:57 net-next-old 594831a8aba3 e17f4a5d .config console log report ci-upstream-net-kasan-gce
2018/01/16 03:38 net-next-old 594831a8aba3 e17f4a5d .config console log report ci-upstream-net-kasan-gce
2018/01/16 01:32 net-next-old 594831a8aba3 e17f4a5d .config console log report ci-upstream-net-kasan-gce
2018/01/16 01:12 net-next-old 594831a8aba3 e17f4a5d .config console log report ci-upstream-net-kasan-gce
2018/01/16 00:35 net-next-old 594831a8aba3 e17f4a5d .config console log report ci-upstream-net-kasan-gce
2018/01/15 20:51 net-next-old 594831a8aba3 e17f4a5d .config console log report ci-upstream-net-kasan-gce
2018/01/15 20:47 net-next-old 594831a8aba3 e17f4a5d .config console log report ci-upstream-net-kasan-gce
2018/01/15 19:57 net-next-old 594831a8aba3 e17f4a5d .config console log report ci-upstream-net-kasan-gce
2018/01/15 19:56 net-next-old 594831a8aba3 e17f4a5d .config console log report ci-upstream-net-kasan-gce
2018/01/18 21:34 mmots ce3c209f6733 161c1d64 .config console log report ci-upstream-mmots-kasan-gce
2018/01/18 17:50 mmots ce3c209f6733 56cc113a .config console log report ci-upstream-mmots-kasan-gce
2018/01/18 17:01 mmots ce3c209f6733 56cc113a .config console log report ci-upstream-mmots-kasan-gce
2018/01/18 12:34 mmots ce3c209f6733 56cc113a .config console log report ci-upstream-mmots-kasan-gce
2018/01/18 08:25 mmots ce3c209f6733 56cc113a .config console log report ci-upstream-mmots-kasan-gce
2018/01/18 00:15 mmots ce3c209f6733 b8970f31 .config console log report ci-upstream-mmots-kasan-gce
2018/01/17 21:18 mmots ce3c209f6733 b8970f31 .config console log report ci-upstream-mmots-kasan-gce
2018/01/17 19:28 mmots ce3c209f6733 d7bc5820 .config console log report ci-upstream-mmots-kasan-gce
2018/01/17 14:05 mmots ce3c209f6733 a46e5318 .config console log report ci-upstream-mmots-kasan-gce
2018/01/17 08:40 mmots ce3c209f6733 a46e5318 .config console log report ci-upstream-mmots-kasan-gce
2018/01/17 07:48 mmots ce3c209f6733 a46e5318 .config console log report ci-upstream-mmots-kasan-gce
2018/01/17 05:27 mmots ce3c209f6733 a46e5318 .config console log report ci-upstream-mmots-kasan-gce
2018/01/17 02:59 mmots ce3c209f6733 a46e5318 .config console log report ci-upstream-mmots-kasan-gce
2018/01/16 20:33 linux-next fdddade65d7b a46e5318 .config console log report ci-upstream-next-kasan-gce
2018/01/16 20:19 mmots ce3c209f6733 a46e5318 .config console log report ci-upstream-mmots-kasan-gce
2018/01/16 17:41 linux-next fdddade65d7b 4198e588 .config console log report ci-upstream-next-kasan-gce
* Struck through repros no longer work on HEAD.