syzbot


KASAN: use-after-free Read in dump_schedule

Status: fixed on 2021/03/10 01:48
Subsystems: net
[Documentation on labels]
Reported-by: syzbot+621fd33c0b53d15ee8de@syzkaller.appspotmail.com
Fix commit: cc00bcaa5899 netfilter: x_tables: Switch synchronization to RCU
First crash: 1292d, last: 1181d
Cause bisection: introduced by (bisect log) :
commit 7b9eba7ba0c1b24df42b70b62d154b284befbccf
Author: Leandro Dorileo <leandro.maciel.dorileo@intel.com>
Date: Mon Apr 8 17:12:17 2019 +0000

  net/sched: taprio: fix picos_per_byte miscalculation

Crash: WARNING in taprio_dequeue (log)
Repro: C syz .config
  
Fix bisection: fixed by (bisect log) :
commit cc00bcaa589914096edef7fb87ca5cee4a166b5c
Author: Subash Abhinov Kasiviswanathan <subashab@codeaurora.org>
Date: Wed Nov 25 18:27:22 2020 +0000

  netfilter: x_tables: Switch synchronization to RCU

  
Discussions (1)
Title Replies (including bot) Last reply
KASAN: use-after-free Read in dump_schedule 1 (4) 2021/01/25 09:35
Similar bugs (1)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: use-after-free Read in dump_schedule (2) net C done inconclusive 10 469d 1030d 0/26 auto-obsoleted due to no activity on 2023/10/12 02:40
Last patch testing requests (2)
Created Duration User Patch Repo Result
2020/10/30 21:06 18m anmol.karan123@gmail.com patch upstream report log
2020/09/06 03:40 17m anant.thazhemadam@gmail.com https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master report log
Fix bisection attempts (3)
Created Duration User Patch Repo Result
2021/01/22 12:20 4h59m bisect fix upstream job log (1)
2020/11/08 18:01 30m bisect fix upstream job log (0) log
2020/10/09 15:31 31m bisect fix upstream job log (0) log

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in dump_schedule+0x758/0x7d0 net/sched/sch_taprio.c:1764
Read of size 8 at addr ffff8880890b7440 by task syz-executor545/6918

CPU: 0 PID: 6918 Comm: syz-executor545 Not tainted 5.9.0-rc3-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x198/0x1fd lib/dump_stack.c:118
 print_address_description.constprop.0.cold+0xae/0x497 mm/kasan/report.c:383
 __kasan_report mm/kasan/report.c:513 [inline]
 kasan_report.cold+0x1f/0x37 mm/kasan/report.c:530
 dump_schedule+0x758/0x7d0 net/sched/sch_taprio.c:1764
 taprio_dump+0x55d/0xce0 net/sched/sch_taprio.c:1833
 tc_fill_qdisc+0x5e7/0x1220 net/sched/sch_api.c:916
 qdisc_notify.isra.0+0x2b1/0x310 net/sched/sch_api.c:983
 tc_modify_qdisc+0xf45/0x1990 net/sched/sch_api.c:1635
 rtnetlink_rcv_msg+0x44e/0xad0 net/core/rtnetlink.c:5563
 netlink_rcv_skb+0x15a/0x430 net/netlink/af_netlink.c:2470
 netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline]
 netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1330
 netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1919
 sock_sendmsg_nosec net/socket.c:651 [inline]
 sock_sendmsg+0xcf/0x120 net/socket.c:671
 sock_no_sendpage+0xee/0x130 net/core/sock.c:2852
 kernel_sendpage net/socket.c:3642 [inline]
 sock_sendpage+0xe5/0x140 net/socket.c:944
 pipe_to_sendpage+0x2ad/0x380 fs/splice.c:448
 splice_from_pipe_feed fs/splice.c:502 [inline]
 __splice_from_pipe+0x3dc/0x830 fs/splice.c:626
 splice_from_pipe fs/splice.c:661 [inline]
 generic_splice_sendpage+0xd4/0x140 fs/splice.c:834
 do_splice_from fs/splice.c:846 [inline]
 do_splice+0xbcd/0x1820 fs/splice.c:1144
 __do_sys_splice fs/splice.c:1419 [inline]
 __se_sys_splice fs/splice.c:1401 [inline]
 __x64_sys_splice+0x198/0x250 fs/splice.c:1401
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x44a509
Code: e8 ac e7 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb 05 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f4fa57ced88 EFLAGS: 00000246 ORIG_RAX: 0000000000000113
RAX: ffffffffffffffda RBX: 00000000006e6a08 RCX: 000000000044a509
RDX: 0000000000000004 RSI: 0000000000000000 RDI: 0000000000000003
RBP: 00000000006e6a00 R08: 0000000000010973 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006e6a0c
R13: 140b0024000000a4 R14: 0000000000000000 R15: 000000306d616574

Allocated by task 6904:
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48
 kasan_set_track mm/kasan/common.c:56 [inline]
 __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:461
 kmem_cache_alloc_trace+0x174/0x2c0 mm/slab.c:3550
 kmalloc include/linux/slab.h:554 [inline]
 kzalloc include/linux/slab.h:666 [inline]
 taprio_change+0x59f/0x2b50 net/sched/sch_taprio.c:1454
 qdisc_change net/sched/sch_api.c:1331 [inline]
 tc_modify_qdisc+0xd41/0x1990 net/sched/sch_api.c:1633
 rtnetlink_rcv_msg+0x44e/0xad0 net/core/rtnetlink.c:5563
 netlink_rcv_skb+0x15a/0x430 net/netlink/af_netlink.c:2470
 netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline]
 netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1330
 netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1919
 sock_sendmsg_nosec net/socket.c:651 [inline]
 sock_sendmsg+0xcf/0x120 net/socket.c:671
 sock_no_sendpage+0xee/0x130 net/core/sock.c:2852
 kernel_sendpage net/socket.c:3642 [inline]
 sock_sendpage+0xe5/0x140 net/socket.c:944
 pipe_to_sendpage+0x2ad/0x380 fs/splice.c:448
 splice_from_pipe_feed fs/splice.c:502 [inline]
 __splice_from_pipe+0x3dc/0x830 fs/splice.c:626
 splice_from_pipe fs/splice.c:661 [inline]
 generic_splice_sendpage+0xd4/0x140 fs/splice.c:834
 do_splice_from fs/splice.c:846 [inline]
 do_splice+0xbcd/0x1820 fs/splice.c:1144
 __do_sys_splice fs/splice.c:1419 [inline]
 __se_sys_splice fs/splice.c:1401 [inline]
 __x64_sys_splice+0x198/0x250 fs/splice.c:1401
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

Freed by task 6912:
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48
 kasan_set_track+0x1c/0x30 mm/kasan/common.c:56
 kasan_set_free_info+0x1b/0x30 mm/kasan/generic.c:355
 __kasan_slab_free+0xd8/0x120 mm/kasan/common.c:422
 __cache_free mm/slab.c:3418 [inline]
 kfree+0x10e/0x2b0 mm/slab.c:3756
 taprio_free_sched_cb+0x18b/0x240 net/sched/sch_taprio.c:124
 rcu_do_batch kernel/rcu/tree.c:2428 [inline]
 rcu_core+0x5ca/0x1130 kernel/rcu/tree.c:2656
 __do_softirq+0x1f7/0xa91 kernel/softirq.c:298

Last call_rcu():
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48
 kasan_record_aux_stack+0x82/0xb0 mm/kasan/generic.c:346
 __call_rcu kernel/rcu/tree.c:2894 [inline]
 call_rcu+0x15e/0x7b0 kernel/rcu/tree.c:2968
 taprio_change+0x2102/0x2b50 net/sched/sch_taprio.c:1572
 qdisc_change net/sched/sch_api.c:1331 [inline]
 tc_modify_qdisc+0xd41/0x1990 net/sched/sch_api.c:1633
 rtnetlink_rcv_msg+0x44e/0xad0 net/core/rtnetlink.c:5563
 netlink_rcv_skb+0x15a/0x430 net/netlink/af_netlink.c:2470
 netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline]
 netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1330
 netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1919
 sock_sendmsg_nosec net/socket.c:651 [inline]
 sock_sendmsg+0xcf/0x120 net/socket.c:671
 sock_no_sendpage+0xee/0x130 net/core/sock.c:2852
 kernel_sendpage net/socket.c:3642 [inline]
 sock_sendpage+0xe5/0x140 net/socket.c:944
 pipe_to_sendpage+0x2ad/0x380 fs/splice.c:448
 splice_from_pipe_feed fs/splice.c:502 [inline]
 __splice_from_pipe+0x3dc/0x830 fs/splice.c:626
 splice_from_pipe fs/splice.c:661 [inline]
 generic_splice_sendpage+0xd4/0x140 fs/splice.c:834
 do_splice_from fs/splice.c:846 [inline]
 do_splice+0xbcd/0x1820 fs/splice.c:1144
 __do_sys_splice fs/splice.c:1419 [inline]
 __se_sys_splice fs/splice.c:1401 [inline]
 __x64_sys_splice+0x198/0x250 fs/splice.c:1401
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

Second to last call_rcu():
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48
 kasan_record_aux_stack+0x82/0xb0 mm/kasan/generic.c:346
 __call_rcu kernel/rcu/tree.c:2894 [inline]
 call_rcu+0x15e/0x7b0 kernel/rcu/tree.c:2968
 taprio_change+0x2102/0x2b50 net/sched/sch_taprio.c:1572
 qdisc_change net/sched/sch_api.c:1331 [inline]
 tc_modify_qdisc+0xd41/0x1990 net/sched/sch_api.c:1633
 rtnetlink_rcv_msg+0x44e/0xad0 net/core/rtnetlink.c:5563
 netlink_rcv_skb+0x15a/0x430 net/netlink/af_netlink.c:2470
 netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline]
 netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1330
 netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1919
 sock_sendmsg_nosec net/socket.c:651 [inline]
 sock_sendmsg+0xcf/0x120 net/socket.c:671
 sock_no_sendpage+0xee/0x130 net/core/sock.c:2852
 kernel_sendpage net/socket.c:3642 [inline]
 sock_sendpage+0xe5/0x140 net/socket.c:944
 pipe_to_sendpage+0x2ad/0x380 fs/splice.c:448
 splice_from_pipe_feed fs/splice.c:502 [inline]
 __splice_from_pipe+0x3dc/0x830 fs/splice.c:626
 splice_from_pipe fs/splice.c:661 [inline]
 generic_splice_sendpage+0xd4/0x140 fs/splice.c:834
 do_splice_from fs/splice.c:846 [inline]
 do_splice+0xbcd/0x1820 fs/splice.c:1144
 __do_sys_splice fs/splice.c:1419 [inline]
 __se_sys_splice fs/splice.c:1401 [inline]
 __x64_sys_splice+0x198/0x250 fs/splice.c:1401
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

The buggy address belongs to the object at ffff8880890b7400
 which belongs to the cache kmalloc-96 of size 96
The buggy address is located 64 bytes inside of
 96-byte region [ffff8880890b7400, ffff8880890b7460)
The buggy address belongs to the page:
page:000000002d09b1c6 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff8880890b7900 pfn:0x890b7
flags: 0xfffe0000000200(slab)
raw: 00fffe0000000200 ffffea000257d408 ffffea00027efa08 ffff8880aa040300
raw: ffff8880890b7900 ffff8880890b7000 000000010000001e 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8880890b7300: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc
 ffff8880890b7380: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
>ffff8880890b7400: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
                                           ^
 ffff8880890b7480: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
 ffff8880890b7500: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc
==================================================================

Crashes (7):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2020/09/05 01:35 upstream 59126901f200 abf9ba4f .config console log report syz C ci-upstream-kasan-gce-root
2020/09/03 12:12 upstream fc3abb53250a abf9ba4f .config console log report syz C ci-upstream-kasan-gce-smack-root
2020/09/08 03:25 linux-next 7a6956579ce6 abf9ba4f .config console log report syz C ci-upstream-linux-next-kasan-gce-root
2020/11/29 17:27 net-next-old e71d2b957ee4 a0092f9d .config console log report info ci-upstream-net-kasan-gce
2020/11/18 19:18 net-next-old 6997faa997ba 09323409 .config console log report info ci-upstream-net-kasan-gce
2020/11/15 17:14 net-next-old 0064c5c1b3bf 1bf9a662 .config console log report info ci-upstream-net-kasan-gce
2020/12/23 10:49 linux-next d7a03a44a5e9 04201c06 .config console log report info ci-upstream-linux-next-kasan-gce-root
* Struck through repros no longer work on HEAD.