syzbot


linux-next test error: KASAN: use-after-free Write in afs_wake_up_async_call

Status: fixed on 2020/07/17 17:58
Subsystems: afs
[Documentation on labels]
Reported-by: syzbot+ada89e25a220b3befb36@syzkaller.appspotmail.com
Fix commit: 0041cd5a5044 rxrpc: Fix notification call on completion of discarded calls
First crash: 1499d, last: 1491d
Duplicate bugs (1)
duplicates (1):
Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
bpf test error: KASAN: use-after-free Write in afs_wake_up_async_call afs 24 1493d 1493d 0/27 closed as dup on 2020/06/19 11:22
Discussions (1)
Title Replies (including bot) Last reply
linux-next test error: KASAN: use-after-free Write in afs_wake_up_async_call 1 (2) 2020/06/19 22:06

Sample crash report:
tipc: TX() has been purged, node left!
==================================================================
BUG: KASAN: use-after-free in afs_wake_up_async_call+0x6aa/0x770 fs/afs/rxrpc.c:707
Write of size 1 at addr ffff88809136f9e4 by task kworker/u4:5/303

CPU: 1 PID: 303 Comm: kworker/u4:5 Not tainted 5.8.0-rc1-next-20200618-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: netns cleanup_net
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x18f/0x20d lib/dump_stack.c:118
 print_address_description.constprop.0.cold+0xd3/0x413 mm/kasan/report.c:383
 __kasan_report mm/kasan/report.c:513 [inline]
 kasan_report.cold+0x1f/0x37 mm/kasan/report.c:530
 afs_wake_up_async_call+0x6aa/0x770 fs/afs/rxrpc.c:707
 rxrpc_notify_socket+0x1db/0x5d0 net/rxrpc/recvmsg.c:40
 __rxrpc_set_call_completion.part.0+0x172/0x410 net/rxrpc/recvmsg.c:76
 __rxrpc_call_completed net/rxrpc/recvmsg.c:112 [inline]
 rxrpc_call_completed+0xca/0xf0 net/rxrpc/recvmsg.c:111
 rxrpc_discard_prealloc+0x781/0xab0 net/rxrpc/call_accept.c:233
 rxrpc_listen+0x147/0x360 net/rxrpc/af_rxrpc.c:245
 afs_close_socket+0x95/0x320 fs/afs/rxrpc.c:110
 afs_net_exit+0x1bc/0x310 fs/afs/main.c:155
 ops_exit_list.isra.0+0xa8/0x150 net/core/net_namespace.c:186
 cleanup_net+0x511/0xa50 net/core/net_namespace.c:603
 process_one_work+0x965/0x1690 kernel/workqueue.c:2269
 worker_thread+0x96/0xe10 kernel/workqueue.c:2415
 kthread+0x3b5/0x4a0 kernel/kthread.c:291
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:293

Allocated by task 6802:
 save_stack+0x1b/0x40 mm/kasan/common.c:48
 set_track mm/kasan/common.c:56 [inline]
 __kasan_kmalloc mm/kasan/common.c:494 [inline]
 __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:467
 kmem_cache_alloc_trace+0x153/0x7d0 mm/slab.c:3551
 kmalloc include/linux/slab.h:555 [inline]
 kzalloc include/linux/slab.h:669 [inline]
 afs_alloc_call+0x55/0x630 fs/afs/rxrpc.c:141
 afs_charge_preallocation+0xe9/0x2d0 fs/afs/rxrpc.c:757
 afs_open_socket+0x292/0x360 fs/afs/rxrpc.c:92
 afs_net_init+0xa6c/0xe30 fs/afs/main.c:125
 ops_init+0xaf/0x420 net/core/net_namespace.c:151
 setup_net+0x2de/0x860 net/core/net_namespace.c:341
 copy_net_ns+0x293/0x590 net/core/net_namespace.c:482
 create_new_namespaces+0x3fb/0xb30 kernel/nsproxy.c:110
 unshare_nsproxy_namespaces+0xbd/0x1f0 kernel/nsproxy.c:231
 ksys_unshare+0x445/0x8e0 kernel/fork.c:2983
 __do_sys_unshare kernel/fork.c:3051 [inline]
 __se_sys_unshare kernel/fork.c:3049 [inline]
 __x64_sys_unshare+0x2d/0x40 kernel/fork.c:3049
 do_syscall_64+0x60/0xe0 arch/x86/entry/common.c:359
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

Freed by task 303:
 save_stack+0x1b/0x40 mm/kasan/common.c:48
 set_track mm/kasan/common.c:56 [inline]
 kasan_set_free_info mm/kasan/common.c:316 [inline]
 __kasan_slab_free+0xf7/0x140 mm/kasan/common.c:455
 __cache_free mm/slab.c:3426 [inline]
 kfree+0x109/0x2b0 mm/slab.c:3757
 afs_put_call+0x585/0xa40 fs/afs/rxrpc.c:190
 rxrpc_discard_prealloc+0x764/0xab0 net/rxrpc/call_accept.c:230
 rxrpc_listen+0x147/0x360 net/rxrpc/af_rxrpc.c:245
 afs_close_socket+0x95/0x320 fs/afs/rxrpc.c:110
 afs_net_exit+0x1bc/0x310 fs/afs/main.c:155
 ops_exit_list.isra.0+0xa8/0x150 net/core/net_namespace.c:186
 cleanup_net+0x511/0xa50 net/core/net_namespace.c:603
 process_one_work+0x965/0x1690 kernel/workqueue.c:2269
 worker_thread+0x96/0xe10 kernel/workqueue.c:2415
 kthread+0x3b5/0x4a0 kernel/kthread.c:291
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:293

The buggy address belongs to the object at ffff88809136f800
 which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 484 bytes inside of
 1024-byte region [ffff88809136f800, ffff88809136fc00)
The buggy address belongs to the page:
page:ffffea000244dbc0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0
flags: 0xfffe0000000200(slab)
raw: 00fffe0000000200 ffffea00029c5dc8 ffffea000240cf48 ffff8880aa000c40
raw: 0000000000000000 ffff88809136f000 0000000100000002 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88809136f880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88809136f900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88809136f980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                       ^
 ffff88809136fa00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88809136fa80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (111):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2020/06/21 15:31 linux-next ce2cc8efd7a4 4f2acff9 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/06/19 17:44 linux-next ce2cc8efd7a4 81abc331 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/06/19 08:15 linux-next ce2cc8efd7a4 bc258b50 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/06/19 07:08 linux-next ce2cc8efd7a4 bc258b50 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/06/19 07:08 linux-next ce2cc8efd7a4 bc258b50 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/06/19 05:34 linux-next ce2cc8efd7a4 bc258b50 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/06/19 03:36 linux-next ce2cc8efd7a4 bc258b50 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/06/19 01:48 linux-next ce2cc8efd7a4 bc258b50 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/06/19 00:22 linux-next ce2cc8efd7a4 bc258b50 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/06/18 08:40 linux-next ce2cc8efd7a4 d45a4d69 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/06/18 06:08 linux-next ce2cc8efd7a4 d45a4d69 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/06/18 04:34 linux-next ce2cc8efd7a4 b9f3810b .config console log report ci-upstream-linux-next-kasan-gce-root
2020/06/18 04:34 linux-next ce2cc8efd7a4 b9f3810b .config console log report ci-upstream-linux-next-kasan-gce-root
2020/06/17 05:01 linux-next 5fcb9628fd12 559fbe2d .config console log report ci-upstream-linux-next-kasan-gce-root
2020/06/16 17:32 linux-next 27f70ec4fa0e 559fbe2d .config console log report ci-upstream-linux-next-kasan-gce-root
2020/06/16 07:13 linux-next 27f70ec4fa0e baca2611 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/06/16 06:07 linux-next 27f70ec4fa0e baca2611 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/06/16 04:43 linux-next 27f70ec4fa0e baca2611 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/06/16 03:52 linux-next bc7d17d55762 baca2611 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/06/16 02:52 linux-next bc7d17d55762 baca2611 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/06/15 23:14 linux-next bc7d17d55762 baca2611 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/06/15 19:43 linux-next bc7d17d55762 baca2611 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/06/15 16:39 linux-next bc7d17d55762 8e3ab941 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/06/15 12:53 linux-next bc7d17d55762 8e3ab941 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/06/15 12:53 linux-next bc7d17d55762 8e3ab941 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/06/15 09:08 linux-next bc7d17d55762 8e3ab941 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/06/15 09:08 linux-next bc7d17d55762 8e3ab941 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/06/15 09:08 linux-next bc7d17d55762 8e3ab941 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/06/15 05:57 linux-next bc7d17d55762 2a22c77a .config console log report ci-upstream-linux-next-kasan-gce-root
2020/06/15 05:57 linux-next bc7d17d55762 2a22c77a .config console log report ci-upstream-linux-next-kasan-gce-root
2020/06/15 05:57 linux-next bc7d17d55762 2a22c77a .config console log report ci-upstream-linux-next-kasan-gce-root
2020/06/15 02:08 linux-next bc7d17d55762 2a22c77a .config console log report ci-upstream-linux-next-kasan-gce-root
2020/06/15 02:08 linux-next bc7d17d55762 2a22c77a .config console log report ci-upstream-linux-next-kasan-gce-root
2020/06/15 02:08 linux-next bc7d17d55762 2a22c77a .config console log report ci-upstream-linux-next-kasan-gce-root
2020/06/14 23:21 linux-next 842221d073a8 2a22c77a .config console log report ci-upstream-linux-next-kasan-gce-root
2020/06/14 23:21 linux-next 842221d073a8 2a22c77a .config console log report ci-upstream-linux-next-kasan-gce-root
2020/06/14 23:21 linux-next 842221d073a8 2a22c77a .config console log report ci-upstream-linux-next-kasan-gce-root
2020/06/14 21:43 linux-next 842221d073a8 2a22c77a .config console log report ci-upstream-linux-next-kasan-gce-root
2020/06/14 21:43 linux-next 842221d073a8 2a22c77a .config console log report ci-upstream-linux-next-kasan-gce-root
2020/06/14 21:43 linux-next 842221d073a8 2a22c77a .config console log report ci-upstream-linux-next-kasan-gce-root
2020/06/14 18:57 linux-next 842221d073a8 2a22c77a .config console log report ci-upstream-linux-next-kasan-gce-root
2020/06/14 18:57 linux-next 842221d073a8 2a22c77a .config console log report ci-upstream-linux-next-kasan-gce-root
2020/06/14 18:57 linux-next 842221d073a8 2a22c77a .config console log report ci-upstream-linux-next-kasan-gce-root
2020/06/14 11:34 linux-next 842221d073a8 2a22c77a .config console log report ci-upstream-linux-next-kasan-gce-root
2020/06/13 07:01 linux-next 64302eabdac7 f4724dd3 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/06/13 05:11 linux-next 64302eabdac7 f4724dd3 .config console log report ci-upstream-linux-next-kasan-gce-root
* Struck through repros no longer work on HEAD.