Title | Replies (including bot) | Last reply |
---|---|---|
KASAN: use-after-free Read in dump_schedule | 1 (4) | 2021/01/25 09:35 |
syzbot |
sign-in | mailing list | source | docs |
Title | Replies (including bot) | Last reply |
---|---|---|
KASAN: use-after-free Read in dump_schedule | 1 (4) | 2021/01/25 09:35 |
Kernel | Title | Repro | Cause bisect | Fix bisect | Count | Last | Reported | Patched | Status |
---|---|---|---|---|---|---|---|---|---|
linux-5.15 | KASAN: use-after-free Read in dump_schedule origin:upstream missing-backport | C | error | 2 | 24d | 243d | 0/3 | upstream: reported C repro on 2024/03/23 08:43 | |
linux-6.1 | KASAN: use-after-free Read in dump_schedule origin:upstream | syz | error | 2 | 221d | 241d | 0/3 | closed as invalid on 2024/06/25 09:04 | |
upstream | KASAN: use-after-free Read in dump_schedule (2) net | C | done | inconclusive | 10 | 716d | 1277d | 0/28 | auto-obsoleted due to no activity on 2023/10/12 02:40 |
================================================================== BUG: KASAN: use-after-free in dump_schedule+0x758/0x7d0 net/sched/sch_taprio.c:1764 Read of size 8 at addr ffff8880890b7440 by task syz-executor545/6918 CPU: 0 PID: 6918 Comm: syz-executor545 Not tainted 5.9.0-rc3-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x198/0x1fd lib/dump_stack.c:118 print_address_description.constprop.0.cold+0xae/0x497 mm/kasan/report.c:383 __kasan_report mm/kasan/report.c:513 [inline] kasan_report.cold+0x1f/0x37 mm/kasan/report.c:530 dump_schedule+0x758/0x7d0 net/sched/sch_taprio.c:1764 taprio_dump+0x55d/0xce0 net/sched/sch_taprio.c:1833 tc_fill_qdisc+0x5e7/0x1220 net/sched/sch_api.c:916 qdisc_notify.isra.0+0x2b1/0x310 net/sched/sch_api.c:983 tc_modify_qdisc+0xf45/0x1990 net/sched/sch_api.c:1635 rtnetlink_rcv_msg+0x44e/0xad0 net/core/rtnetlink.c:5563 netlink_rcv_skb+0x15a/0x430 net/netlink/af_netlink.c:2470 netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline] netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1330 netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1919 sock_sendmsg_nosec net/socket.c:651 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:671 sock_no_sendpage+0xee/0x130 net/core/sock.c:2852 kernel_sendpage net/socket.c:3642 [inline] sock_sendpage+0xe5/0x140 net/socket.c:944 pipe_to_sendpage+0x2ad/0x380 fs/splice.c:448 splice_from_pipe_feed fs/splice.c:502 [inline] __splice_from_pipe+0x3dc/0x830 fs/splice.c:626 splice_from_pipe fs/splice.c:661 [inline] generic_splice_sendpage+0xd4/0x140 fs/splice.c:834 do_splice_from fs/splice.c:846 [inline] do_splice+0xbcd/0x1820 fs/splice.c:1144 __do_sys_splice fs/splice.c:1419 [inline] __se_sys_splice fs/splice.c:1401 [inline] __x64_sys_splice+0x198/0x250 fs/splice.c:1401 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x44a509 Code: e8 ac e7 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb 05 fc ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007f4fa57ced88 EFLAGS: 00000246 ORIG_RAX: 0000000000000113 RAX: ffffffffffffffda RBX: 00000000006e6a08 RCX: 000000000044a509 RDX: 0000000000000004 RSI: 0000000000000000 RDI: 0000000000000003 RBP: 00000000006e6a00 R08: 0000000000010973 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006e6a0c R13: 140b0024000000a4 R14: 0000000000000000 R15: 000000306d616574 Allocated by task 6904: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48 kasan_set_track mm/kasan/common.c:56 [inline] __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:461 kmem_cache_alloc_trace+0x174/0x2c0 mm/slab.c:3550 kmalloc include/linux/slab.h:554 [inline] kzalloc include/linux/slab.h:666 [inline] taprio_change+0x59f/0x2b50 net/sched/sch_taprio.c:1454 qdisc_change net/sched/sch_api.c:1331 [inline] tc_modify_qdisc+0xd41/0x1990 net/sched/sch_api.c:1633 rtnetlink_rcv_msg+0x44e/0xad0 net/core/rtnetlink.c:5563 netlink_rcv_skb+0x15a/0x430 net/netlink/af_netlink.c:2470 netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline] netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1330 netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1919 sock_sendmsg_nosec net/socket.c:651 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:671 sock_no_sendpage+0xee/0x130 net/core/sock.c:2852 kernel_sendpage net/socket.c:3642 [inline] sock_sendpage+0xe5/0x140 net/socket.c:944 pipe_to_sendpage+0x2ad/0x380 fs/splice.c:448 splice_from_pipe_feed fs/splice.c:502 [inline] __splice_from_pipe+0x3dc/0x830 fs/splice.c:626 splice_from_pipe fs/splice.c:661 [inline] generic_splice_sendpage+0xd4/0x140 fs/splice.c:834 do_splice_from fs/splice.c:846 [inline] do_splice+0xbcd/0x1820 fs/splice.c:1144 __do_sys_splice fs/splice.c:1419 [inline] __se_sys_splice fs/splice.c:1401 [inline] __x64_sys_splice+0x198/0x250 fs/splice.c:1401 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Freed by task 6912: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48 kasan_set_track+0x1c/0x30 mm/kasan/common.c:56 kasan_set_free_info+0x1b/0x30 mm/kasan/generic.c:355 __kasan_slab_free+0xd8/0x120 mm/kasan/common.c:422 __cache_free mm/slab.c:3418 [inline] kfree+0x10e/0x2b0 mm/slab.c:3756 taprio_free_sched_cb+0x18b/0x240 net/sched/sch_taprio.c:124 rcu_do_batch kernel/rcu/tree.c:2428 [inline] rcu_core+0x5ca/0x1130 kernel/rcu/tree.c:2656 __do_softirq+0x1f7/0xa91 kernel/softirq.c:298 Last call_rcu(): kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48 kasan_record_aux_stack+0x82/0xb0 mm/kasan/generic.c:346 __call_rcu kernel/rcu/tree.c:2894 [inline] call_rcu+0x15e/0x7b0 kernel/rcu/tree.c:2968 taprio_change+0x2102/0x2b50 net/sched/sch_taprio.c:1572 qdisc_change net/sched/sch_api.c:1331 [inline] tc_modify_qdisc+0xd41/0x1990 net/sched/sch_api.c:1633 rtnetlink_rcv_msg+0x44e/0xad0 net/core/rtnetlink.c:5563 netlink_rcv_skb+0x15a/0x430 net/netlink/af_netlink.c:2470 netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline] netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1330 netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1919 sock_sendmsg_nosec net/socket.c:651 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:671 sock_no_sendpage+0xee/0x130 net/core/sock.c:2852 kernel_sendpage net/socket.c:3642 [inline] sock_sendpage+0xe5/0x140 net/socket.c:944 pipe_to_sendpage+0x2ad/0x380 fs/splice.c:448 splice_from_pipe_feed fs/splice.c:502 [inline] __splice_from_pipe+0x3dc/0x830 fs/splice.c:626 splice_from_pipe fs/splice.c:661 [inline] generic_splice_sendpage+0xd4/0x140 fs/splice.c:834 do_splice_from fs/splice.c:846 [inline] do_splice+0xbcd/0x1820 fs/splice.c:1144 __do_sys_splice fs/splice.c:1419 [inline] __se_sys_splice fs/splice.c:1401 [inline] __x64_sys_splice+0x198/0x250 fs/splice.c:1401 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Second to last call_rcu(): kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48 kasan_record_aux_stack+0x82/0xb0 mm/kasan/generic.c:346 __call_rcu kernel/rcu/tree.c:2894 [inline] call_rcu+0x15e/0x7b0 kernel/rcu/tree.c:2968 taprio_change+0x2102/0x2b50 net/sched/sch_taprio.c:1572 qdisc_change net/sched/sch_api.c:1331 [inline] tc_modify_qdisc+0xd41/0x1990 net/sched/sch_api.c:1633 rtnetlink_rcv_msg+0x44e/0xad0 net/core/rtnetlink.c:5563 netlink_rcv_skb+0x15a/0x430 net/netlink/af_netlink.c:2470 netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline] netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1330 netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1919 sock_sendmsg_nosec net/socket.c:651 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:671 sock_no_sendpage+0xee/0x130 net/core/sock.c:2852 kernel_sendpage net/socket.c:3642 [inline] sock_sendpage+0xe5/0x140 net/socket.c:944 pipe_to_sendpage+0x2ad/0x380 fs/splice.c:448 splice_from_pipe_feed fs/splice.c:502 [inline] __splice_from_pipe+0x3dc/0x830 fs/splice.c:626 splice_from_pipe fs/splice.c:661 [inline] generic_splice_sendpage+0xd4/0x140 fs/splice.c:834 do_splice_from fs/splice.c:846 [inline] do_splice+0xbcd/0x1820 fs/splice.c:1144 __do_sys_splice fs/splice.c:1419 [inline] __se_sys_splice fs/splice.c:1401 [inline] __x64_sys_splice+0x198/0x250 fs/splice.c:1401 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 The buggy address belongs to the object at ffff8880890b7400 which belongs to the cache kmalloc-96 of size 96 The buggy address is located 64 bytes inside of 96-byte region [ffff8880890b7400, ffff8880890b7460) The buggy address belongs to the page: page:000000002d09b1c6 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff8880890b7900 pfn:0x890b7 flags: 0xfffe0000000200(slab) raw: 00fffe0000000200 ffffea000257d408 ffffea00027efa08 ffff8880aa040300 raw: ffff8880890b7900 ffff8880890b7000 000000010000001e 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8880890b7300: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc ffff8880890b7380: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc >ffff8880890b7400: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ^ ffff8880890b7480: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ffff8880890b7500: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc ==================================================================
Time | Kernel | Commit | Syzkaller | Config | Log | Report | Syz repro | C repro | VM info | Assets (help?) | Manager | Title |
---|---|---|---|---|---|---|---|---|---|---|---|---|
2020/09/05 01:35 | upstream | 59126901f200 | abf9ba4f | .config | console log | report | syz | C | ci-upstream-kasan-gce-root | |||
2020/09/03 12:12 | upstream | fc3abb53250a | abf9ba4f | .config | console log | report | syz | C | ci-upstream-kasan-gce-smack-root | |||
2020/09/08 03:25 | linux-next | 7a6956579ce6 | abf9ba4f | .config | console log | report | syz | C | ci-upstream-linux-next-kasan-gce-root | |||
2020/11/29 17:27 | net-next-old | e71d2b957ee4 | a0092f9d | .config | console log | report | info | ci-upstream-net-kasan-gce | ||||
2020/11/18 19:18 | net-next-old | 6997faa997ba | 09323409 | .config | console log | report | info | ci-upstream-net-kasan-gce | ||||
2020/11/15 17:14 | net-next-old | 0064c5c1b3bf | 1bf9a662 | .config | console log | report | info | ci-upstream-net-kasan-gce | ||||
2020/12/23 10:49 | linux-next | d7a03a44a5e9 | 04201c06 | .config | console log | report | info | ci-upstream-linux-next-kasan-gce-root |