syzbot


general protection fault in tipc_conn_close

Status: upstream: reported C repro on 2021/05/01 19:58
Reported-by: syzbot+cae65bcdcf43a3593dd6@syzkaller.appspotmail.com
First crash: 1077d, last: 570d
Fix bisection: failed (error log, bisect log)
  
Similar bugs (11)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
android-54 general protection fault in tipc_conn_close (2) 2 171d 247d 0/2 auto-obsoleted due to no activity on 2024/01/22 16:54
android-5-15 general protection fault in tipc_conn_close (2) 4 92d 208d 0/2 auto-obsoleted due to no activity on 2024/04/11 01:35
android-54 general protection fault in tipc_conn_close 9 389d 655d 0/2 auto-obsoleted due to no activity on 2023/07/18 14:57
android-5-10 general protection fault in tipc_conn_close (3) 1 211d 211d 0/2 auto-obsoleted due to no activity on 2023/12/14 05:20
upstream general protection fault in tipc_conn_close tipc C 3 2244d 2245d 5/26 fixed on 2018/05/08 18:30
android-6-1 general protection fault in tipc_conn_close 6 64d 291d 0/2 upstream: reported on 2023/06/27 08:56
android-5-10 general protection fault in tipc_conn_close 1 700d 700d 0/2 auto-closed as invalid on 2022/08/12 11:37
android-5-10 general protection fault in tipc_conn_close (2) 6 485d 571d 0/2 auto-obsoleted due to no activity on 2023/04/11 05:56
upstream general protection fault in tipc_conn_close (3) tipc 1 176d 172d 0/26 auto-obsoleted due to no activity on 2024/01/18 09:00
upstream general protection fault in tipc_conn_close (2) tipc 21 289d 861d 0/26 auto-obsoleted due to no activity on 2023/10/06 23:51
android-5-15 general protection fault in tipc_conn_close 4 318d 533d 0/2 auto-obsoleted due to no activity on 2023/08/28 21:57
Fix bisection attempts (2)
Created Duration User Patch Repo Result
2021/10/17 21:36 11m bisect fix linux-4.19.y error job log (0)
2021/09/17 20:50 45m bisect fix linux-4.19.y job log (0) log

Sample crash report:
IPVS: ftp: loaded support on port[0] = 21
IPVS: ftp: loaded support on port[0] = 21
IPVS: ftp: loaded support on port[0] = 21
IPVS: ftp: loaded support on port[0] = 21
==================================================================
BUG: KASAN: use-after-free in tipc_conn_close+0x122/0x140 net/tipc/topsrv.c:165
Read of size 8 at addr ffff888099305a08 by task kworker/u4:3/435

CPU: 0 PID: 435 Comm: kworker/u4:3 Not tainted 4.19.204-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: netns cleanup_net
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1fc/0x2ef lib/dump_stack.c:118
 print_address_description.cold+0x54/0x219 mm/kasan/report.c:256
 kasan_report_error.cold+0x8a/0x1b9 mm/kasan/report.c:354
 kasan_report mm/kasan/report.c:412 [inline]
 __asan_report_load8_noabort+0x88/0x90 mm/kasan/report.c:433
 tipc_conn_close+0x122/0x140 net/tipc/topsrv.c:165
 tipc_topsrv_stop net/tipc/topsrv.c:701 [inline]
 tipc_topsrv_exit_net+0x27b/0x5c0 net/tipc/topsrv.c:722
 ops_exit_list+0xa5/0x150 net/core/net_namespace.c:153
 cleanup_net+0x3b4/0x8b0 net/core/net_namespace.c:553
 process_one_work+0x864/0x1570 kernel/workqueue.c:2153
 worker_thread+0x64c/0x1130 kernel/workqueue.c:2296
 kthread+0x33f/0x460 kernel/kthread.c:259
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415

Allocated by task 23:
 kmem_cache_alloc_trace+0x12f/0x380 mm/slab.c:3625
 kmalloc include/linux/slab.h:515 [inline]
 kzalloc include/linux/slab.h:709 [inline]
 tipc_conn_alloc+0x43/0x4f0 net/tipc/topsrv.c:192
 tipc_topsrv_accept+0x1b5/0x280 net/tipc/topsrv.c:470
 process_one_work+0x864/0x1570 kernel/workqueue.c:2153
 worker_thread+0x64c/0x1130 kernel/workqueue.c:2296
 kthread+0x33f/0x460 kernel/kthread.c:259
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415

Freed by task 23:
 __cache_free mm/slab.c:3503 [inline]
 kfree+0xcc/0x210 mm/slab.c:3822
 tipc_conn_kref_release net/tipc/topsrv.c:150 [inline]
 kref_put include/linux/kref.h:70 [inline]
 conn_put+0x2cd/0x3a0 net/tipc/topsrv.c:155
 process_one_work+0x864/0x1570 kernel/workqueue.c:2153
 worker_thread+0x64c/0x1130 kernel/workqueue.c:2296
 kthread+0x33f/0x460 kernel/kthread.c:259
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415

The buggy address belongs to the object at ffff888099305a00
 which belongs to the cache kmalloc-512 of size 512
The buggy address is located 8 bytes inside of
 512-byte region [ffff888099305a00, ffff888099305c00)
The buggy address belongs to the page:
page:ffffea000264c140 count:1 mapcount:0 mapping:ffff88813bff0940 index:0x0
flags: 0xfff00000000100(slab)
raw: 00fff00000000100 ffffea00028b6b88 ffffea0002cd2b08 ffff88813bff0940
raw: 0000000000000000 ffff888099305000 0000000100000006 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff888099305900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888099305980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff888099305a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                      ^
 ffff888099305a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888099305b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (3):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2021/08/18 20:50 linux-4.19.y 59456c9cc40c a2fe1cb5 .config console log report syz C ci2-linux-4-19 KASAN: use-after-free Read in tipc_conn_close
2022/09/21 08:53 linux-4.19.y 3f8a27f9e27b c4b8ccfd .config console log report info [disk image] [vmlinux] ci2-linux-4-19 general protection fault in tipc_conn_close
2021/05/01 19:57 linux-4.19.y 97a8651cadce 77e2b668 .config console log report info ci2-linux-4-19 general protection fault in tipc_conn_close
* Struck through repros no longer work on HEAD.