KASAN: use-after-free Read in nbd_genl

Title	Replies (including bot)	Last reply
[PATCH AUTOSEL 5.10 01/47] i2c: rcar: faster irq code to minimize HW race condition	50 (50)	2021/03/12 22:12
[PATCH AUTOSEL 5.11 01/52] i2c: rcar: faster irq code to minimize HW race condition	56 (56)	2021/03/12 22:10
[PATCH 5.10 000/102] 5.10.21-rc1 review	119 (119)	2021/03/08 13:21
[PATCH 5.11 000/104] 5.11.4-rc1 review	119 (119)	2021/03/07 11:37
[PATCH 5.4 00/72] 5.4.103-rc1 review	80 (80)	2021/03/06 16:33
[PATCH AUTOSEL 5.4 01/33] i2c: rcar: faster irq code to minimize HW race condition	33 (33)	2021/03/02 11:57
[PATCH] nbd: handle device refs for DESTROY_ON_DISCONNECT properly	2 (2)	2021/02/22 20:17
KASAN: use-after-free Read in nbd_genl_connect	2 (4)	2021/02/22 20:05
Re: KASAN: use-after-free Read in nbd_genl_connect	1 (1)	2021/02/22 16:02

Kernel	Title	Repro	Cause bisect	Fix bisect	Count	Last	Reported	Patched	Status
linux-4.19	KASAN: use-after-free Read in nbd_genl_connect	C		error	169	416d	1159d	0/1	upstream: reported C repro on 2021/02/21 14:36
linux-4.14	KASAN: use-after-free Read in nbd_genl_connect	C			199	418d	1160d	0/1	upstream: reported C repro on 2021/02/20 12:01
upstream	KASAN: use-after-free Read in nbd_genl_connect (2) nbd	C	unreliable		6	974d	975d	20/26	fixed on 2021/11/10 00:50

linux-4.19

KASAN: use-after-free Read in nbd_genl_connect

error

169

416d

1159d

0/1

upstream: reported C repro on 2021/02/21 14:36

linux-4.14

KASAN: use-after-free Read in nbd_genl_connect

199

418d

1160d

0/1

upstream: reported C repro on 2021/02/20 12:01

upstream

KASAN: use-after-free Read in nbd_genl_connect (2) nbd

unreliable

974d

975d

20/26

fixed on 2021/11/10 00:50

Created	Duration	User	Patch	Repo	Result
2021/02/22 18:17	18m	josef@toxicpanda.com		git://git.kernel.org/pub/scm/linux/kernel/git/josef/btrfs-next.git nbd-kasan-fix	OK

Created

Duration

User

Patch

Repo

Result

2021/02/22 18:17

18m

josef@toxicpanda.com

git://git.kernel.org/pub/scm/linux/kernel/git/josef/btrfs-next.git nbd-kasan-fix

================================================================== BUG: KASAN: use-after-free in instrument_atomic_read include/linux/instrumented.h:71 [inline] BUG: KASAN: use-after-free in atomic_read include/asm-generic/atomic-instrumented.h:27 [inline] BUG: KASAN: use-after-free in refcount_dec_not_one+0x71/0x1e0 lib/refcount.c:76 Read of size 4 at addr ffff888014ca19a0 by task syz-executor980/8540 CPU: 0 PID: 8540 Comm: syz-executor980 Not tainted 5.11.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x107/0x163 lib/dump_stack.c:120 print_address_description.constprop.0.cold+0x5b/0x2f8 mm/kasan/report.c:230 __kasan_report mm/kasan/report.c:396 [inline] kasan_report.cold+0x79/0xd5 mm/kasan/report.c:413 check_memory_region_inline mm/kasan/generic.c:179 [inline] check_memory_region+0x13d/0x180 mm/kasan/generic.c:185 instrument_atomic_read include/linux/instrumented.h:71 [inline] atomic_read include/asm-generic/atomic-instrumented.h:27 [inline] refcount_dec_not_one+0x71/0x1e0 lib/refcount.c:76 refcount_dec_and_mutex_lock+0x19/0x140 lib/refcount.c:115 nbd_put drivers/block/nbd.c:248 [inline] nbd_genl_connect+0xee7/0x1560 drivers/block/nbd.c:1980 genl_family_rcv_msg_doit+0x228/0x320 net/netlink/genetlink.c:739 genl_family_rcv_msg net/netlink/genetlink.c:783 [inline] genl_rcv_msg+0x328/0x580 net/netlink/genetlink.c:800 netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2494 genl_rcv+0x24/0x40 net/netlink/genetlink.c:811 netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline] netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1330 netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1919 sock_sendmsg_nosec net/socket.c:652 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:672 ____sys_sendmsg+0x6e8/0x810 net/socket.c:2345 ___sys_sendmsg+0xf3/0x170 net/socket.c:2399 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2432 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x440709 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffd63e9cc88 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 000000000000e3fb RCX: 0000000000440709 RDX: 0000000000000000 RSI: 0000000020000340 RDI: 0000000000000003 RBP: 0000000000000000 R08: 0000000000000000 R09: 00007ffd63e9ce28 R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffd63e9cc9c R13: 431bde82d7b634db R14: 00000000004ae018 R15: 00000000004004a0 Allocated by task 8536: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38 kasan_set_track mm/kasan/common.c:46 [inline] set_alloc_info mm/kasan/common.c:401 [inline] ____kasan_kmalloc.constprop.0+0x82/0xa0 mm/kasan/common.c:429 kmalloc include/linux/slab.h:552 [inline] kzalloc include/linux/slab.h:682 [inline] nbd_dev_add+0x44/0x8e0 drivers/block/nbd.c:1673 nbd_genl_connect+0x59c/0x1560 drivers/block/nbd.c:1838 genl_family_rcv_msg_doit+0x228/0x320 net/netlink/genetlink.c:739 genl_family_rcv_msg net/netlink/genetlink.c:783 [inline] genl_rcv_msg+0x328/0x580 net/netlink/genetlink.c:800 netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2494 genl_rcv+0x24/0x40 net/netlink/genetlink.c:811 netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline] netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1330 netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1919 sock_sendmsg_nosec net/socket.c:652 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:672 ____sys_sendmsg+0x6e8/0x810 net/socket.c:2345 ___sys_sendmsg+0xf3/0x170 net/socket.c:2399 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2432 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Freed by task 8540: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38 kasan_set_track+0x1c/0x30 mm/kasan/common.c:46 kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:356 ____kasan_slab_free+0xe1/0x110 mm/kasan/common.c:362 kasan_slab_free include/linux/kasan.h:192 [inline] slab_free_hook mm/slub.c:1547 [inline] slab_free_freelist_hook+0x5d/0x150 mm/slub.c:1580 slab_free mm/slub.c:3143 [inline] kfree+0xdb/0x3b0 mm/slub.c:4139 nbd_dev_remove drivers/block/nbd.c:243 [inline] nbd_put.part.0+0x180/0x1d0 drivers/block/nbd.c:251 nbd_put drivers/block/nbd.c:295 [inline] nbd_config_put+0x6dd/0x8c0 drivers/block/nbd.c:1242 nbd_genl_connect+0xeb7/0x1560 drivers/block/nbd.c:1978 genl_family_rcv_msg_doit+0x228/0x320 net/netlink/genetlink.c:739 genl_family_rcv_msg net/netlink/genetlink.c:783 [inline] genl_rcv_msg+0x328/0x580 net/netlink/genetlink.c:800 netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2494 genl_rcv+0x24/0x40 net/netlink/genetlink.c:811 netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline] netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1330 netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1919 sock_sendmsg_nosec net/socket.c:652 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:672 ____sys_sendmsg+0x6e8/0x810 net/socket.c:2345 ___sys_sendmsg+0xf3/0x170 net/socket.c:2399 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2432 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 The buggy address belongs to the object at ffff888014ca1800 which belongs to the cache kmalloc-1k of size 1024 The buggy address is located 416 bytes inside of 1024-byte region [ffff888014ca1800, ffff888014ca1c00) The buggy address belongs to the page: page:0000000086766889 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x14ca0 head:0000000086766889 order:3 compound_mapcount:0 compound_pincount:0 flags: 0xfff00000010200(slab|head) raw: 00fff00000010200 ffffea0000929400 0000000200000002 ffff888010c41140 raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888014ca1880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888014ca1900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff888014ca1980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888014ca1a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888014ca1a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================

Crashes (16):
Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	VM info	Manager	Title
2021/02/20 04:11	upstream	f40ddce88593	f689d40a	.config	console log	report	syz	C		ci-upstream-kasan-gce-root	KASAN: use-after-free Read in nbd_genl_connect
2021/02/20 18:46	net-old	3af409ca278d	3e5ed8b4	.config	console log	report	syz	C		ci-upstream-net-this-kasan-gce	KASAN: use-after-free Read in nbd_genl_connect
2021/02/20 06:59	net-old	3af409ca278d	f689d40a	.config	console log	report	syz	C		ci-upstream-net-this-kasan-gce	KASAN: use-after-free Read in nbd_genl_connect
2021/02/21 16:12	net-next-old	38b5133ad607	3e5ed8b4	.config	console log	report	syz	C		ci-upstream-net-kasan-gce	KASAN: use-after-free Read in nbd_genl_connect
2021/02/20 22:36	net-next-old	38b5133ad607	3e5ed8b4	.config	console log	report	syz	C		ci-upstream-net-kasan-gce	KASAN: use-after-free Read in nbd_genl_connect
2021/02/20 17:15	net-next-old	38b5133ad607	3e5ed8b4	.config	console log	report	syz	C		ci-upstream-net-kasan-gce	KASAN: use-after-free Read in nbd_genl_connect
2021/02/20 13:12	net-next-old	38b5133ad607	3e5ed8b4	.config	console log	report	syz	C		ci-upstream-net-kasan-gce	KASAN: use-after-free Read in nbd_genl_connect
2021/02/28 03:02	upstream	5695e5161974	4c37c133	.config	console log	report			info	ci-upstream-kasan-gce-root	KASAN: use-after-free Read in nbd_genl_connect
2021/02/20 03:19	upstream	f40ddce88593	f689d40a	.config	console log	report			info	ci-upstream-kasan-gce-root	KASAN: use-after-free Read in nbd_genl_connect
2021/03/09 02:40	net-old	29d98f54a4fe	09fbf400	.config	console log	report			info	ci-upstream-net-this-kasan-gce	KASAN: use-after-free Read in nbd_genl_connect
2021/02/21 05:59	net-old	3af409ca278d	3e5ed8b4	.config	console log	report			info	ci-upstream-net-this-kasan-gce	KASAN: use-after-free Read in nbd_genl_connect
2021/03/09 14:43	net-next-old	d310ec03a34e	09fbf400	.config	console log	report			info	ci-upstream-net-kasan-gce	KASAN: use-after-free Read in nbd_genl_connect
2021/03/06 08:23	net-next-old	d310ec03a34e	56722561	.config	console log	report			info	ci-upstream-net-kasan-gce	KASAN: use-after-free Read in nbd_genl_connect
2021/03/04 23:11	net-next-old	d310ec03a34e	9d751681	.config	console log	report			info	ci-upstream-net-kasan-gce	KASAN: use-after-free Read in nbd_genl_connect
2021/03/02 19:38	net-next-old	d310ec03a34e	92ead296	.config	console log	report			info	ci-upstream-net-kasan-gce	KASAN: use-after-free Read in nbd_genl_connect
2021/03/02 07:59	net-next-old	d310ec03a34e	183afb6c	.config	console log	report			info	ci-upstream-net-kasan-gce	KASAN: use-after-free Read in nbd_genl_connect

Crashes (16):

Assets (help?)

2021/02/20 04:11

upstream