syzbot


KASAN: use-after-free Read in slip_open

Status: fixed on 2019/12/13 00:31
Reported-by: syzbot+4d5170758f3762109542@syzkaller.appspotmail.com
Fix commit: e58c19124189 slip: Fix use-after-free Read in slip_open
First crash: 956d, last: 951d

Cause bisection: the cause commit could be any of (bisect log):
  6ef35398e827 rtc: Add Amlogic Virtual Wake RTC
  1d74f0992991 dt-bindings: rtc: add bindings for FlexTimer Module
  ed16239637f6 dt-bindings: rtc: new binding for Amlogic VRTC
  7b0b551dbc1e rtc: fsl-ftm-alarm: add FTM alarm driver
  a6f26606ddd0 rtc: rv3029: revert error handling patch to rv3029_eeprom_write()
  80ba93639b5d rtc: ds1672: remove unnecessary check
  903e259f9caf dt-bindings: rtc: sun6i: Add compatible for H6 RTC
  44c638ce4ec6 rtc: remove superfluous error message
  b60ff2cfb598 rtc: sun6i: Add support for H6 RTC
  924068e50a6c rtc: class: add debug message when registration fails
  e788771cacaf rtc: pcf2127: convert to devm_rtc_allocate_device
  bbfe3a7a1d41 rtc: pcf2127: cleanup register and bit defines
  cb36cf803f3f rtc: pcf2123: add proper compatible string
  7f43020e3bdb rtc: pcf2127: bugfix: read rtc disables watchdog
  d5b626e13503 rtc: pcf2123: let the core handle range offsetting
  0e735eaae165 rtc: pcf2127: add watchdog feature support
  935a7f459790 rtc: pcf2123: convert to devm_rtc_allocate_device
  03623b4b041c rtc: pcf2127: add tamper detection support
  9a5aeaad73ec rtc: pcf2123: remove useless error path goto
  28abbba36a5a rtc: pcf2127: bugfix: watchdog build dependency
  9126a2b16b67 rtc: pcf2123: rename struct and variables
  6fd4fe9b496d rtc: snvs: fix possible race condition
  d3bad6026f0b rtc: pcf2123: stop using dev.platform_data
  577f648207e0 rtc: pcf2123: implement .alarm_irq_enable
  79610340cac8 rtc: snvs: set range
  c59a9fc7272e rtc: snvs: switch to rtc_time64_to_tm/rtc_tm_to_time64
  d0ce6ef71466 rtc; pcf2123: fix possible alarm race condition
  5bdf40dab622 rtc: pcf2123: don't use weekday alarm
  7ef66122bdb3 rtc: pcf85363/pcf85263: fix regmap error in set_time
  59a7f24fceb3 rtc: max77686: convert to devm_i2c_new_dummy_device()
  faac910201e9 rtc: Remove dev_err() usage after platform_get_irq()
  4053e74996b8 rtc: s35390a: convert to devm_i2c_new_dummy_device()
  b0a3fa44659c rtc: mxc: use spin_lock_irqsave instead of spin_lock_irq in IRQ context
  41a8e19f47df rtc: bd70528: fix driver dependencies
  cd646ec003c5 rtc: pcf8563: add Epson RTC8564 compatible
  cb3cab06142e rtc: remove w90x900/nuc900 driver
  deaa3ff4984f rtc: pcf8563: add Microcrystal RV8564 compatible
  8d3f805e6896 rtc: pcf8563: convert to devm_rtc_allocate_device
  aae364d2a888 rtc: s5m: convert to i2c_new_dummy_device
  c7d5f6dbd9f9 rtc: pcf8563: remove useless indirection
  ca83542cdb5c rtc: s35390a: convert to i2c_new_dummy_device
  7150710f3084 rtc: max77686: convert to i2c_new_dummy_device
  f648d40b99ba rtc: pcf8563: let the core handle range offsetting
  46eabee1f6e6 rtc: isl12026: convert to i2c_new_dummy_device
  d76a81d0c262 rtc: sun6i: Allow using as wakeup source from suspend
  4a9eb8154ffd dt-bindings: rtc: ds1307: add rx8130 compatible
  564225415e77 dt-bindings: rtc: Remove the PCF8563 from the trivial RTCs
  e02e3ddac772 rtc: sc27xx: Remove clearing SPRD_RTC_POWEROFF_ALM_FLAG flag
  f7234a9813b7 rtc: imxdi: use devm_platform_ioremap_resource() to simplify code
  874532cdeefe rtc: mxc_v2: use devm_platform_ioremap_resource() to simplify code
  b99a3120f9a3 rtc: meson: mark PM functions as __maybe_unused
  9dbd83f66529 Merge tag 'rtc-5.4' of git://git.kernel.org/pub/scm/linux/kernel/git/abelloni/linux
similar bugs (3):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.19 KASAN: use-after-free Read in slip_open C done done 7 942d 953d 1/1 fixed on 2020/01/03 09:37
upstream KASAN: use-after-free Read in slip_open (2) 2 4d14h 49d 0/22 upstream: reported on 2022/05/14 07:35
linux-4.14 KASAN: use-after-free Read in slip_open C done done 2 949d 949d 1/1 fixed on 2019/12/28 10:32

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in sl_sync drivers/net/slip/slip.c:725 [inline]
BUG: KASAN: use-after-free in slip_open+0xecd/0x11b7 drivers/net/slip/slip.c:801
Read of size 8 at addr ffff88809431cb48 by task syz-executor276/8797

CPU: 0 PID: 8797 Comm: syz-executor276 Not tainted 5.4.0-rc8 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x197/0x210 lib/dump_stack.c:118
 print_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:374
 __kasan_report.cold+0x1b/0x41 mm/kasan/report.c:506
 kasan_report+0x12/0x20 mm/kasan/common.c:634
 __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:132
 sl_sync drivers/net/slip/slip.c:725 [inline]
 slip_open+0xecd/0x11b7 drivers/net/slip/slip.c:801
 tty_ldisc_open.isra.0+0xa3/0x110 drivers/tty/tty_ldisc.c:469
 tty_set_ldisc+0x30e/0x6b0 drivers/tty/tty_ldisc.c:596
 tiocsetd drivers/tty/tty_io.c:2334 [inline]
 tty_ioctl+0xe8d/0x14f0 drivers/tty/tty_io.c:2594
 vfs_ioctl fs/ioctl.c:46 [inline]
 file_ioctl fs/ioctl.c:509 [inline]
 do_vfs_ioctl+0xdb6/0x13e0 fs/ioctl.c:696
 ksys_ioctl+0xab/0xd0 fs/ioctl.c:713
 __do_sys_ioctl fs/ioctl.c:720 [inline]
 __se_sys_ioctl fs/ioctl.c:718 [inline]
 __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:718
 do_syscall_64+0xfa/0x760 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x441149
Code: e8 5c ae 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 bb 0a fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffcfb9185b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441149
RDX: 0000000020000040 RSI: 0000000000005423 RDI: 0000000000000003
RBP: 00007ffcfb9185d0 R08: 0000000000000002 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: ffffffffffffffff
R13: 0000000000000004 R14: 0000000000000000 R15: 0000000000000000

Allocated by task 8796:
 save_stack+0x23/0x90 mm/kasan/common.c:69
 set_track mm/kasan/common.c:77 [inline]
 __kasan_kmalloc mm/kasan/common.c:510 [inline]
 __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:483
 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:524
 __do_kmalloc_node mm/slab.c:3615 [inline]
 __kmalloc_node+0x4e/0x70 mm/slab.c:3622
 kmalloc_node include/linux/slab.h:599 [inline]
 kvmalloc_node+0x68/0x100 mm/util.c:564
 kvmalloc include/linux/mm.h:670 [inline]
 kvzalloc include/linux/mm.h:678 [inline]
 alloc_netdev_mqs+0x98/0xde0 net/core/dev.c:9499
 sl_alloc drivers/net/slip/slip.c:751 [inline]
 slip_open+0x38e/0x11b7 drivers/net/slip/slip.c:812
 tty_ldisc_open.isra.0+0xa3/0x110 drivers/tty/tty_ldisc.c:469
 tty_set_ldisc+0x30e/0x6b0 drivers/tty/tty_ldisc.c:596
 tiocsetd drivers/tty/tty_io.c:2334 [inline]
 tty_ioctl+0xe8d/0x14f0 drivers/tty/tty_io.c:2594
 vfs_ioctl fs/ioctl.c:46 [inline]
 file_ioctl fs/ioctl.c:509 [inline]
 do_vfs_ioctl+0xdb6/0x13e0 fs/ioctl.c:696
 ksys_ioctl+0xab/0xd0 fs/ioctl.c:713
 __do_sys_ioctl fs/ioctl.c:720 [inline]
 __se_sys_ioctl fs/ioctl.c:718 [inline]
 __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:718
 do_syscall_64+0xfa/0x760 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 8796:
 save_stack+0x23/0x90 mm/kasan/common.c:69
 set_track mm/kasan/common.c:77 [inline]
 kasan_set_free_info mm/kasan/common.c:332 [inline]
 __kasan_slab_free+0x102/0x150 mm/kasan/common.c:471
 kasan_slab_free+0xe/0x10 mm/kasan/common.c:480
 __cache_free mm/slab.c:3425 [inline]
 kfree+0x10a/0x2c0 mm/slab.c:3756
 kvfree+0x61/0x70 mm/util.c:593
 netdev_freemem net/core/dev.c:9453 [inline]
 free_netdev+0x3c0/0x470 net/core/dev.c:9608
 slip_open+0xd70/0x11b7 drivers/net/slip/slip.c:858
 tty_ldisc_open.isra.0+0xa3/0x110 drivers/tty/tty_ldisc.c:469
 tty_set_ldisc+0x30e/0x6b0 drivers/tty/tty_ldisc.c:596
 tiocsetd drivers/tty/tty_io.c:2334 [inline]
 tty_ioctl+0xe8d/0x14f0 drivers/tty/tty_io.c:2594
 vfs_ioctl fs/ioctl.c:46 [inline]
 file_ioctl fs/ioctl.c:509 [inline]
 do_vfs_ioctl+0xdb6/0x13e0 fs/ioctl.c:696
 ksys_ioctl+0xab/0xd0 fs/ioctl.c:713
 __do_sys_ioctl fs/ioctl.c:720 [inline]
 __se_sys_ioctl fs/ioctl.c:718 [inline]
 __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:718
 do_syscall_64+0xfa/0x760 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at ffff88809431c000
 which belongs to the cache kmalloc-4k of size 4096
The buggy address is located 2888 bytes inside of
 4096-byte region [ffff88809431c000, ffff88809431d000)
The buggy address belongs to the page:
page:ffffea000250c700 refcount:1 mapcount:0 mapping:ffff8880aa402000 index:0x0 compound_mapcount: 0
raw: 01fffc0000010200 ffffea0002a18b88 ffffea0002a14788 ffff8880aa402000
raw: 0000000000000000 ffff88809431c000 0000000100000001 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88809431ca00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88809431ca80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88809431cb00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                              ^
 ffff88809431cb80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88809431cc00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (3):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-upstream-kasan-gce-root 2019/11/19 04:57 upstream af42d3466bdc 5bc70212 .config log report syz C
ci-upstream-kasan-gce-root 2019/11/24 16:14 upstream 6b8a79467876 598ca6c8 .config log report
ci-upstream-kasan-gce-root 2019/11/19 04:35 upstream af42d3466bdc 5bc70212 .config log report