syzbot

 sign-in | mailing list | source | docs
🐞 Open [978] Subsystems 🐞 Fixed [5235] 🐞 Invalid [12492] Missing Backports [83] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes 💬 Send us feedback

KASAN: use-after-free Read in rxrpc_put_peer

Status: fixed on 2019/11/04 14:50
Subsystems: afs net
[Documentation on labels]
Reported-by: syzbot+b9be979c55f2bea8ed30@syzkaller.appspotmail.com
Fix commit: 55f6c98e3674 rxrpc: Fix trace-after-put looking at the put peer record 9ebeddef58c4 rxrpc: rxrpc_peer needs to hold a ref on the rxrpc_local record
First crash: 1707d, last: 1647d
Cause bisection: failed (error log, bisect log)
  
Discussions (9)
Title Replies (including bot) Last reply
[PATCH 4.19 000/149] 4.19.82-stable review 169 (169) 2019/11/11 09:36
[PATCH 5.3 000/163] 5.3.9-stable review 174 (174) 2019/11/06 10:49
[PATCH AUTOSEL 4.19 01/59] tools: bpf: Use !building_out_of_srctree to determine srctree 59 (59) 2019/10/26 13:19
[PATCH AUTOSEL 5.3 01/99] tools: bpf: Use !building_out_of_srctree to determine srctree 98 (98) 2019/10/26 13:16
[PATCH AUTOSEL 4.19 01/37] PCI/ASPM: Do not initialize link state when aspm_disabled is set 37 (37) 2019/10/26 07:44
[PATCH AUTOSEL 5.3 01/33] net: ipv6: fix listify ip6_rcv_finish in case of forwarding 35 (35) 2019/10/25 15:49
[PATCH net 0/6] rxrpc: Syzbot-inspired fixes 8 (8) 2019/10/07 13:13
KASAN: use-after-free Read in rxrpc_put_peer 2 (6) 2019/10/04 14:03
Reminder: 3 open syzbot reports in "net/rxrpc" subsystem 1 (1) 2019/10/04 04:13
Similar bugs (1)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.19 KASAN: use-after-free Read in rxrpc_put_peer 2 1640d 1686d 0/1 auto-closed as invalid on 2020/02/24 07:46
Last patch testing requests (3)
Created Duration User Patch Repo Result
2019/10/04 14:41 19m dhowells@redhat.com git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git 37932e658d77ff16d67f5e3cd24096d48931c2be OK
2019/10/04 13:43 19m dhowells@redhat.com git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git cc9604d48fc3b73d9665ae80a2f07dc3fc0574c4 report log
2019/08/29 12:17 18m dhowells@redhat.com git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git 48b9e92aeb3c2b0df3454faf9024f6ca611d65a3 OK

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in __rxrpc_put_peer net/rxrpc/peer_object.c:411 [inline]
BUG: KASAN: use-after-free in rxrpc_put_peer+0x685/0x6a0 net/rxrpc/peer_object.c:435
Read of size 8 at addr ffff888097ec0058 by task syz-executor823/24216

CPU: 0 PID: 24216 Comm: syz-executor823 Not tainted 5.3.0+ #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x172/0x1f0 lib/dump_stack.c:113
 print_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:374
 __kasan_report.cold+0x1b/0x41 mm/kasan/report.c:506
 kasan_report+0x12/0x20 mm/kasan/common.c:634
 __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:132
 __rxrpc_put_peer net/rxrpc/peer_object.c:411 [inline]
 rxrpc_put_peer+0x685/0x6a0 net/rxrpc/peer_object.c:435
 rxrpc_rcu_destroy_call+0x5e/0x140 net/rxrpc/call_object.c:566
 __rcu_reclaim kernel/rcu/rcu.h:222 [inline]
 rcu_do_batch kernel/rcu/tree.c:2157 [inline]
 rcu_core+0x581/0x1560 kernel/rcu/tree.c:2377
 rcu_core_si+0x9/0x10 kernel/rcu/tree.c:2386
 __do_softirq+0x262/0x98c kernel/softirq.c:292
 invoke_softirq kernel/softirq.c:373 [inline]
 irq_exit+0x19b/0x1e0 kernel/softirq.c:413
 exiting_irq arch/x86/include/asm/apic.h:536 [inline]
 smp_apic_timer_interrupt+0x1a3/0x610 arch/x86/kernel/apic/apic.c:1137
 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:830
 </IRQ>
RIP: 0010:arch_local_irq_restore arch/x86/include/asm/paravirt.h:756 [inline]
RIP: 0010:__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:160 [inline]
RIP: 0010:_raw_spin_unlock_irqrestore+0x95/0xe0 kernel/locking/spinlock.c:191
Code: 48 c7 c0 20 1c f3 88 48 ba 00 00 00 00 00 fc ff df 48 c1 e8 03 80 3c 10 00 75 39 48 83 3d 92 28 ac 01 00 74 24 48 89 df 57 9d <0f> 1f 44 00 00 bf 01 00 00 00 e8 ec 10 08 fa 65 8b 05 5d 0a bb 78
RSP: 0018:ffff8880927378c0 EFLAGS: 00000286 ORIG_RAX: ffffffffffffff13
RAX: 1ffffffff11e6384 RBX: 0000000000000286 RCX: 0000000000000000
RDX: dffffc0000000000 RSI: 0000000000000006 RDI: 0000000000000286
RBP: ffff8880927378d0 R08: ffff888097632000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffffffff8ac62ca8
R13: ffffffff8ac62ca8 R14: ffff888083be9000 R15: 0000000000000003
 __debug_check_no_obj_freed lib/debugobjects.c:973 [inline]
 debug_check_no_obj_freed+0x20a/0x43f lib/debugobjects.c:994
 free_pages_prepare mm/page_alloc.c:1175 [inline]
 __free_pages_ok+0x266/0xea0 mm/page_alloc.c:1421
 free_compound_page+0x97/0xd0 mm/page_alloc.c:674
 free_transhuge_page+0x2a7/0x3b0 mm/huge_memory.c:2842
 __put_compound_page+0x90/0xd0 mm/swap.c:97
 release_pages+0x5e5/0x1a50 mm/swap.c:810
 free_pages_and_swap_cache+0x2c3/0x3f0 mm/swap_state.c:296
 tlb_batch_pages_flush mm/mmu_gather.c:49 [inline]
 tlb_flush_mmu_free mm/mmu_gather.c:184 [inline]
 tlb_flush_mmu+0x89/0x630 mm/mmu_gather.c:191
 tlb_finish_mmu+0x98/0x3b0 mm/mmu_gather.c:272
 exit_mmap+0x2da/0x530 mm/mmap.c:3163
 __mmput kernel/fork.c:1079 [inline]
 mmput+0x179/0x4d0 kernel/fork.c:1100
 exit_mm kernel/exit.c:485 [inline]
 do_exit+0x823/0x2e60 kernel/exit.c:804
 do_group_exit+0x135/0x360 kernel/exit.c:921
 __do_sys_exit_group kernel/exit.c:932 [inline]
 __se_sys_exit_group kernel/exit.c:930 [inline]
 __x64_sys_exit_group+0x44/0x50 kernel/exit.c:930
 do_syscall_64+0xfa/0x760 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x440078
Code: 00 00 be 3c 00 00 00 eb 19 66 0f 1f 84 00 00 00 00 00 48 89 d7 89 f0 0f 05 48 3d 00 f0 ff ff 77 21 f4 48 89 d7 44 89 c0 0f 05 <48> 3d 00 f0 ff ff 76 e0 f7 d8 64 41 89 01 eb d8 0f 1f 84 00 00 00
RSP: 002b:00007ffd29763d08 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000440078
RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
RBP: 00000000004bfa50 R08: 00000000000000e7 R09: ffffffffffffffd0
R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000000001
R13: 00000000006d2180 R14: 0000000000000000 R15: 0000000000000000

Allocated by task 24200:
 save_stack+0x23/0x90 mm/kasan/common.c:69
 set_track mm/kasan/common.c:77 [inline]
 __kasan_kmalloc mm/kasan/common.c:510 [inline]
 __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:483
 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:524
 kmem_cache_alloc_trace+0x158/0x790 mm/slab.c:3550
 kmalloc include/linux/slab.h:552 [inline]
 kzalloc include/linux/slab.h:686 [inline]
 rxrpc_alloc_local net/rxrpc/local_object.c:79 [inline]
 rxrpc_lookup_local+0x562/0x1ba0 net/rxrpc/local_object.c:277
 rxrpc_sendmsg+0x379/0x5f0 net/rxrpc/af_rxrpc.c:566
 sock_sendmsg_nosec net/socket.c:637 [inline]
 sock_sendmsg+0xd7/0x130 net/socket.c:657
 ___sys_sendmsg+0x3e2/0x920 net/socket.c:2311
 __sys_sendmmsg+0x1bf/0x4d0 net/socket.c:2413
 __do_sys_sendmmsg net/socket.c:2442 [inline]
 __se_sys_sendmmsg net/socket.c:2439 [inline]
 __x64_sys_sendmmsg+0x9d/0x100 net/socket.c:2439
 do_syscall_64+0xfa/0x760 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 16:
 save_stack+0x23/0x90 mm/kasan/common.c:69
 set_track mm/kasan/common.c:77 [inline]
 kasan_set_free_info mm/kasan/common.c:332 [inline]
 __kasan_slab_free+0x102/0x150 mm/kasan/common.c:471
 kasan_slab_free+0xe/0x10 mm/kasan/common.c:480
 __cache_free mm/slab.c:3425 [inline]
 kfree+0x10a/0x2c0 mm/slab.c:3756
 rxrpc_local_rcu+0x62/0x80 net/rxrpc/local_object.c:499
 __rcu_reclaim kernel/rcu/rcu.h:222 [inline]
 rcu_do_batch kernel/rcu/tree.c:2157 [inline]
 rcu_core+0x581/0x1560 kernel/rcu/tree.c:2377
 rcu_core_si+0x9/0x10 kernel/rcu/tree.c:2386
 __do_softirq+0x262/0x98c kernel/softirq.c:292

The buggy address belongs to the object at ffff888097ec0040
 which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 24 bytes inside of
 1024-byte region [ffff888097ec0040, ffff888097ec0440)
The buggy address belongs to the page:
page:ffffea00025fb000 refcount:1 mapcount:0 mapping:ffff8880aa400c40 index:0x0 compound_mapcount: 0
flags: 0x1fffc0000010200(slab|head)
raw: 01fffc0000010200 ffffea00025bf208 ffffea0002605e88 ffff8880aa400c40
raw: 0000000000000000 ffff888097ec0040 0000000100000007 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff888097ebff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff888097ebff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff888097ec0000: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
                                                    ^
 ffff888097ec0080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888097ec0100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (38):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2019/09/30 10:53 upstream a3c0e7b1fe1f c1ad5441 .config console log report syz C ci-upstream-kasan-gce
2019/09/04 12:51 upstream 089cf7f6ecb2 12381952 .config console log report syz ci-upstream-kasan-gce-root
2019/09/11 19:28 net-old 3dfdecc6d125 a60cb4cd .config console log report syz ci-upstream-net-this-kasan-gce
2019/09/08 20:51 net-old 28abe5796252 a60cb4cd .config console log report syz ci-upstream-net-this-kasan-gce
2019/10/02 07:48 net-next-old 5be5515a8ea1 b7a87a83 .config console log report syz ci-upstream-net-kasan-gce
2019/09/04 22:12 linux-next 6d028043b55e 040fda58 .config console log report syz ci-upstream-linux-next-kasan-gce-root
2019/08/28 19:47 linux-next ed2393ca0910 fd37b39e .config console log report syz ci-upstream-linux-next-kasan-gce-root
2019/10/19 21:13 upstream 998d75510e37 8c88c9c1 .config console log report ci-upstream-kasan-gce-root
2019/10/18 04:59 upstream 283ea345934d 8c88c9c1 .config console log report ci-upstream-kasan-gce
2019/10/16 05:49 upstream 3b1f00aceb7a d4ea592f .config console log report ci-upstream-kasan-gce
2019/10/08 10:52 upstream eda57a0e4299 28ac6e64 .config console log report ci-upstream-kasan-gce-selinux-root
2019/09/21 13:07 upstream f97c81dc6ca5 d96e88f3 .config console log report ci-upstream-kasan-gce-smack-root
2019/09/19 20:51 upstream b41dae061bbd eb940044 .config console log report ci-upstream-kasan-gce
2019/09/17 04:11 upstream cef7298262e9 51ca0454 .config console log report ci-upstream-kasan-gce-root
2019/09/16 19:50 upstream 4d856f72c10e cb936299 .config console log report ci-upstream-kasan-gce
2019/09/12 14:24 upstream ad32b4800c2b 0b7672ee .config console log report ci-upstream-kasan-gce-root
2019/09/09 20:39 upstream 56037cadf604 a60cb4cd .config console log report ci-upstream-kasan-gce-root
2019/09/08 12:40 upstream b3a9964cfa69 a60cb4cd .config console log report ci-upstream-kasan-gce-selinux-root
2019/09/05 22:07 upstream 3b47fd5ca9ea 040fda58 .config console log report ci-upstream-kasan-gce
2019/09/04 06:10 upstream 089cf7f6ecb2 12381952 .config console log report ci-upstream-kasan-gce-smack-root
2019/09/04 06:09 upstream 089cf7f6ecb2 12381952 .config console log report ci-upstream-kasan-gce-smack-root
2019/09/04 04:50 upstream 089cf7f6ecb2 526709ff .config console log report ci-upstream-kasan-gce
2019/09/04 03:24 upstream 089cf7f6ecb2 526709ff .config console log report ci-upstream-kasan-gce-smack-root
2019/09/04 00:14 upstream 089cf7f6ecb2 526709ff .config console log report ci-upstream-kasan-gce-smack-root
2019/09/02 18:21 upstream 089cf7f6ecb2 14544a56 .config console log report ci-upstream-kasan-gce-smack-root
2019/08/30 23:21 upstream 6525771f58cb fd37b39e .config console log report ci-upstream-kasan-gce-smack-root
2019/08/29 18:23 upstream 6525771f58cb fd37b39e .config console log report ci-upstream-kasan-gce-smack-root
2019/08/29 12:39 upstream 6525771f58cb fd37b39e .config console log report ci-upstream-kasan-gce-selinux-root
2019/08/29 08:46 upstream 6525771f58cb fd37b39e .config console log report ci-upstream-kasan-gce-selinux-root
2019/09/27 21:59 net-old 2b6fd3ea438c d8074e0b .config console log report ci-upstream-net-this-kasan-gce
2019/08/21 15:11 net-old a1c4cd67840e 4ea67ff8 .config console log report ci-upstream-net-this-kasan-gce
2019/10/15 19:35 net-next-old 85a83a8fca7f b5268b89 .config console log report ci-upstream-net-kasan-gce
2019/10/15 15:39 net-next-old 85a83a8fca7f b5268b89 .config console log report ci-upstream-net-kasan-gce
2019/09/27 10:09 net-next-old b41dae061bbd 2f1548bc .config console log report ci-upstream-net-kasan-gce
2019/09/09 18:36 net-next-old 6703a605b5ab a60cb4cd .config console log report ci-upstream-net-kasan-gce
2019/09/07 14:14 net-next-old 742ca7812bcc a60cb4cd .config console log report ci-upstream-net-kasan-gce
2019/09/06 01:28 net-next-old 0e5b36bc4c1f 040fda58 .config console log report ci-upstream-net-kasan-gce
2019/09/03 00:27 net-next-old a21cf11bc57f 14544a56 .config console log report ci-upstream-net-kasan-gce
* Struck through repros no longer work on HEAD.