syzbot


KASAN: use-after-free Read in ccid_hc_tx_delete

Status: auto-obsoleted due to no activity on 2023/04/12 16:55
Subsystems: dccp
[Documentation on labels]
Reported-by: syzbot+3967c1caf256f4d5aefe@syzkaller.appspotmail.com
First crash: 2030d, last: 1806d
Cause bisection: introduced by (bisect log) :
commit f04684b4d85d6371126f476d3268ebf6a0bd57cf
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date: Thu Jun 21 08:07:21 2018 +0000

  ALSA: lx6464es: Missing error code in snd_lx6464es_create()

Crash: KASAN: use-after-free Read in ccid_hc_tx_delete (log)
Repro: C syz .config
  
Fix bisection: fixed by (bisect log) [merge commit]:
commit d276709ce6c90b9eceecdbd01a0c083ab04d3a52
Author: Linus Torvalds <torvalds@linux-foundation.org>
Date: Wed Mar 6 21:33:11 2019 +0000

  Merge tag 'acpi-5.1-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm

  
Duplicate bugs (1)
duplicates (1):
Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
WARNING in kmem_cache_free (2) dccp syz 13 1766d 2064d 0/26 closed as dup on 2018/10/11 08:07
Discussions (3)
Title Replies (including bot) Last reply
KASAN: use-after-free Read in ccid_hc_tx_delete 2 (5) 2020/01/21 15:39
Reminder: 6 open syzbot bugs in "net/dccp" subsystem 1 (1) 2019/07/24 02:28
Reminder: 6 open syzbot bugs in "net/dccp" subsystem 1 (1) 2019/07/02 06:18
Last patch testing requests (10)
Created Duration User Patch Repo Result
2023/04/12 16:11 19m retest repro linux-next OK log
2022/12/15 07:31 21m retest repro upstream OK log
2022/12/14 14:31 20m retest repro upstream OK log
2022/12/14 10:31 20m retest repro upstream OK log
2022/12/13 23:31 20m retest repro upstream OK log
2022/12/13 22:31 19m retest repro upstream OK log
2022/12/13 19:31 18m retest repro upstream OK log
2022/12/13 15:31 19m retest repro upstream OK log
2022/12/13 11:31 19m retest repro upstream OK log
2022/12/13 11:31 19m retest repro upstream OK log

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in ccid_hc_tx_delete+0xe0/0x100 net/dccp/ccid.c:188
Read of size 8 at addr ffff8881bd5fcec0 by task ksoftirqd/1/16

CPU: 1 PID: 16 Comm: ksoftirqd/1 Not tainted 4.20.0-rc6+ #152
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x244/0x39d lib/dump_stack.c:113
 print_address_description.cold.7+0x9/0x1ff mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report.cold.8+0x242/0x309 mm/kasan/report.c:412
 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
 ccid_hc_tx_delete+0xe0/0x100 net/dccp/ccid.c:188
 dccp_sk_destruct+0x3c/0x80 net/dccp/proto.c:181
 __sk_destruct+0x107/0xa80 net/core/sock.c:1561
 __rcu_reclaim kernel/rcu/rcu.h:240 [inline]
 rcu_do_batch kernel/rcu/tree.c:2437 [inline]
 invoke_rcu_callbacks kernel/rcu/tree.c:2716 [inline]
 rcu_process_callbacks+0x100a/0x1ac0 kernel/rcu/tree.c:2697
 __do_softirq+0x308/0xb7e kernel/softirq.c:292
 run_ksoftirqd+0x5e/0x100 kernel/softirq.c:654
 smpboot_thread_fn+0x68b/0xa00 kernel/smpboot.c:164
 kthread+0x35a/0x440 kernel/kthread.c:246
 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352

Allocated by task 16874:
 save_stack+0x43/0xd0 mm/kasan/kasan.c:448
 set_track mm/kasan/kasan.c:460 [inline]
 kasan_kmalloc+0xc7/0xe0 mm/kasan/kasan.c:553
 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:490
 kmem_cache_alloc+0x12e/0x730 mm/slab.c:3554
 ccid_new+0x25b/0x3e0 net/dccp/ccid.c:151
 dccp_hdlr_ccid+0x27/0x150 net/dccp/feat.c:44
 __dccp_feat_activate+0x188/0x280 net/dccp/feat.c:344
 dccp_feat_activate_values+0x3c1/0x80a net/dccp/feat.c:1538
 dccp_rcv_request_sent_state_process net/dccp/input.c:472 [inline]
 dccp_rcv_state_process+0x1320/0x1b7e net/dccp/input.c:680
 dccp_v6_do_rcv+0x271/0xbf0 net/dccp/ipv6.c:638
 sk_backlog_rcv include/net/sock.h:932 [inline]
 __release_sock+0x12f/0x3a0 net/core/sock.c:2276
 release_sock+0xad/0x2c0 net/core/sock.c:2789
 inet_wait_for_connect net/ipv4/af_inet.c:588 [inline]
 __inet_stream_connect+0x641/0x1150 net/ipv4/af_inet.c:680
 inet_stream_connect+0x58/0xa0 net/ipv4/af_inet.c:719
 __sys_connect+0x37d/0x4c0 net/socket.c:1664
 __do_sys_connect net/socket.c:1675 [inline]
 __se_sys_connect net/socket.c:1672 [inline]
 __x64_sys_connect+0x73/0xb0 net/socket.c:1672
 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 16877:
 save_stack+0x43/0xd0 mm/kasan/kasan.c:448
 set_track mm/kasan/kasan.c:460 [inline]
 __kasan_slab_free+0x102/0x150 mm/kasan/kasan.c:521
 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
 __cache_free mm/slab.c:3498 [inline]
 kmem_cache_free+0x83/0x290 mm/slab.c:3760
 ccid_hc_tx_delete+0xc3/0x100 net/dccp/ccid.c:190
 dccp_hdlr_ccid+0x7d/0x150 net/dccp/feat.c:53
 __dccp_feat_activate+0x188/0x280 net/dccp/feat.c:344
 dccp_feat_activate_values+0x3c1/0x80a net/dccp/feat.c:1538
 dccp_create_openreq_child+0x47a/0x630 net/dccp/minisocks.c:127
 dccp_v6_request_recv_sock+0x278/0x2020 net/dccp/ipv6.c:466
 dccp_check_req+0x47d/0x6d0 net/dccp/minisocks.c:196
 dccp_v6_rcv+0x874/0x1ce9 net/dccp/ipv6.c:744
 ip6_input_finish+0x3fc/0x1aa0 net/ipv6/ip6_input.c:384
 NF_HOOK include/linux/netfilter.h:289 [inline]
 ip6_input+0xe9/0x600 net/ipv6/ip6_input.c:427
 dst_input include/net/dst.h:450 [inline]
 ip6_rcv_finish+0x17a/0x330 net/ipv6/ip6_input.c:76
 NF_HOOK include/linux/netfilter.h:289 [inline]
 ipv6_rcv+0x115/0x640 net/ipv6/ip6_input.c:272
 __netif_receive_skb_one_core+0x14d/0x200 net/core/dev.c:4946
 __netif_receive_skb+0x2c/0x1e0 net/core/dev.c:5056
 process_backlog+0x24e/0x7a0 net/core/dev.c:5864
 napi_poll net/core/dev.c:6287 [inline]
 net_rx_action+0x7fa/0x19b0 net/core/dev.c:6353
 __do_softirq+0x308/0xb7e kernel/softirq.c:292

The buggy address belongs to the object at ffff8881bd5fcec0
 which belongs to the cache ccid2_hc_tx_sock of size 1240
The buggy address is located 0 bytes inside of
 1240-byte region [ffff8881bd5fcec0, ffff8881bd5fd398)
The buggy address belongs to the page:
page:ffffea0006f57f00 count:1 mapcount:0 mapping:ffff8881c5bdc980 index:0x0 compound_mapcount: 0
flags: 0x2fffc0000010200(slab|head)
raw: 02fffc0000010200 ffffea0006f53a08 ffffea0006f41088 ffff8881c5bdc980
raw: 0000000000000000 ffff8881bd5fc3c0 0000000100000005 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8881bd5fcd80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8881bd5fce00: fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8881bd5fce80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
                                           ^
 ffff8881bd5fcf00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8881bd5fcf80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (354):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2018/12/15 00:58 upstream eb6cf9f8cb9d 7624ddd6 .config console log report syz C ci-upstream-kasan-gce-smack-root
2018/12/15 00:36 upstream eb6cf9f8cb9d 7624ddd6 .config console log report syz C ci-upstream-kasan-gce
2018/12/15 00:28 upstream eb6cf9f8cb9d 7624ddd6 .config console log report syz C ci-upstream-kasan-gce-root
2018/12/14 23:39 upstream eb6cf9f8cb9d 7624ddd6 .config console log report syz C ci-upstream-kasan-gce-selinux-root
2018/12/14 21:57 upstream eb6cf9f8cb9d 7624ddd6 .config console log report syz C ci-upstream-kasan-gce-386
2018/12/23 08:35 linux-next 6648e120dd1a e3bd7ab8 .config console log report syz C ci-upstream-linux-next-kasan-gce-root
2019/04/03 16:19 upstream a816fd6b49b6 dfd3394d .config console log report syz ci-upstream-kasan-gce
2019/04/02 22:51 upstream 5e7a8ca31926 dfd3394d .config console log report syz ci-upstream-kasan-gce-root
2019/04/02 00:34 upstream 5e7a8ca31926 a9ca43d4 .config console log report syz ci-upstream-kasan-gce-selinux-root
2019/03/31 19:47 upstream b5c8314f0eba 0c624d4d .config console log report syz ci-upstream-kasan-gce-smack-root
2019/03/02 22:20 upstream c93d9218ea56 1c0e457a .config console log report syz ci-upstream-kasan-gce-root
2019/03/02 17:05 upstream a215ce8f0e00 1c0e457a .config console log report syz ci-upstream-kasan-gce
2019/03/02 17:02 upstream a215ce8f0e00 1c0e457a .config console log report syz ci-upstream-kasan-gce-selinux-root
2019/03/02 17:02 upstream a215ce8f0e00 1c0e457a .config console log report syz ci-upstream-kasan-gce-smack-root
2019/02/10 01:18 upstream e8b50608f666 d75f7686 .config console log report syz ci-upstream-kasan-gce-smack-root
2019/02/10 00:27 upstream e8b50608f666 d75f7686 .config console log report syz ci-upstream-kasan-gce-root
2019/02/09 21:17 upstream 46c291e277f9 d75f7686 .config console log report syz ci-upstream-kasan-gce-selinux-root
2019/02/09 21:10 upstream 46c291e277f9 d75f7686 .config console log report syz ci-upstream-kasan-gce
2018/09/28 22:03 upstream ad0371482b1e 137d7c66 .config console log report syz ci-upstream-kasan-gce-root
2018/09/28 21:11 upstream ad0371482b1e 137d7c66 .config console log report syz ci-upstream-kasan-gce-smack-root
2018/09/28 20:49 upstream ad0371482b1e 137d7c66 .config console log report syz ci-upstream-kasan-gce-selinux-root
2018/08/28 01:20 upstream 050cdc6c9501 7ef1de9e .config console log report syz ci-upstream-kasan-gce
2018/08/28 00:51 upstream 050cdc6c9501 7ef1de9e .config console log report syz ci-upstream-kasan-gce-root
2018/08/27 12:34 upstream 5b394b2ddf03 758cd203 .config console log report syz ci-upstream-kasan-gce-root
2018/08/27 06:05 upstream aba16dc5cf93 758cd203 .config console log report syz ci-upstream-kasan-gce
2019/03/31 20:40 upstream b5c8314f0eba 0c624d4d .config console log report syz ci-upstream-kasan-gce-386
2019/03/02 16:27 upstream a215ce8f0e00 1c0e457a .config console log report syz ci-upstream-kasan-gce-386
2019/02/09 19:28 upstream 46c291e277f9 d75f7686 .config console log report syz ci-upstream-kasan-gce-386
2018/09/28 20:52 upstream ad0371482b1e 137d7c66 .config console log report syz ci-upstream-kasan-gce-386
2018/08/28 01:49 upstream 050cdc6c9501 7ef1de9e .config console log report syz ci-upstream-kasan-gce-386
2018/08/27 06:30 upstream aba16dc5cf93 758cd203 .config console log report syz ci-upstream-kasan-gce-386
2019/04/08 11:20 linux-next ac5b84a1ffe9 c34fde03 .config console log report syz ci-upstream-linux-next-kasan-gce-root
2019/03/02 17:04 linux-next c63e9e91a254 1c0e457a .config console log report syz ci-upstream-linux-next-kasan-gce-root
2018/09/28 20:23 linux-next 4794a36bf08d 137d7c66 .config console log report syz ci-upstream-linux-next-kasan-gce-root
2018/08/27 06:27 linux-next ab6fc6ef2d8b 758cd203 .config console log report syz ci-upstream-linux-next-kasan-gce-root
2019/04/07 23:24 upstream 3b0468914708 c34fde03 .config console log report ci-upstream-kasan-gce-smack-root
2019/04/07 17:32 upstream 3b0468914708 c34fde03 .config console log report ci-upstream-kasan-gce-smack-root
2019/04/06 11:56 upstream f654f0fc0bd3 c34fde03 .config console log report ci-upstream-kasan-gce-smack-root
2019/04/03 05:56 upstream 5e7a8ca31926 dfd3394d .config console log report ci-upstream-kasan-gce-smack-root
2019/03/31 02:23 upstream 922c010cf236 0c624d4d .config console log report ci-upstream-kasan-gce-smack-root
2019/03/28 20:45 upstream 1a9df9e29c2a 14c58f8d .config console log report ci-upstream-kasan-gce-smack-root
2019/03/28 03:40 upstream 1a9df9e29c2a f94f56fe .config console log report ci-upstream-kasan-gce-root
2019/03/26 16:07 upstream a3ac7917b730 55684ce1 .config console log report ci-upstream-kasan-gce
2019/03/26 06:07 upstream 8c2ffd917477 55684ce1 .config console log report ci-upstream-kasan-gce-smack-root
2019/03/25 16:08 upstream 8c2ffd917477 2c86e0a5 .config console log report ci-upstream-kasan-gce
2019/03/25 12:46 upstream 8c2ffd917477 2c86e0a5 .config console log report ci-upstream-kasan-gce
2019/03/23 06:09 upstream fd1f297b794c 3361bde5 .config console log report ci-upstream-kasan-gce-smack-root
2019/03/22 17:30 upstream 0939221e6468 dce6e62f .config console log report ci-upstream-kasan-gce
2019/03/22 12:51 upstream 0939221e6468 dce6e62f .config console log report ci-upstream-kasan-gce-root
2019/03/22 05:02 upstream 0939221e6468 dce6e62f .config console log report ci-upstream-kasan-gce
2019/03/21 22:22 upstream 54c490164523 dce6e62f .config console log report ci-upstream-kasan-gce-smack-root
2019/03/18 13:59 upstream 9e98c678c2d6 4656beca .config console log report ci-upstream-kasan-gce-selinux-root
2019/03/17 21:48 upstream 80b98e92ebcb ba18afea .config console log report ci-upstream-kasan-gce
2019/03/15 23:48 upstream 6c83d0d5eb62 bab43553 .config console log report ci-upstream-kasan-gce-root
2019/03/15 09:37 upstream f261c4e529da bab43553 .config console log report ci-upstream-kasan-gce-selinux-root
2019/03/14 14:55 upstream fa3d493f7a57 d09a902e .config console log report ci-upstream-kasan-gce-root
2019/03/14 04:28 upstream ebc551f2b8f9 2881fc25 .config console log report ci-upstream-kasan-gce-root
2019/03/10 03:42 upstream 6cdc577a18a6 12365b99 .config console log report ci-upstream-kasan-gce-root
2019/03/09 04:09 upstream 3601fe43e816 12365b99 .config console log report ci-upstream-kasan-gce-smack-root
2019/03/08 23:23 upstream 610cd4eadec4 12365b99 .config console log report ci-upstream-kasan-gce-root
2019/03/05 20:30 upstream 63bdf4284c38 16559f86 .config console log report ci-upstream-kasan-gce-root
2018/08/27 04:51 upstream aba16dc5cf93 758cd203 .config console log report ci-upstream-kasan-gce
2019/04/07 03:54 upstream faac51ddac45 c34fde03 .config console log report ci-upstream-kasan-gce-386
2019/04/04 23:03 upstream 145f47c7381d e5d1b3ac .config console log report ci-upstream-kasan-gce-386
2019/03/30 12:11 upstream 0e40da3efeb0 c35ee0ea .config console log report ci-upstream-kasan-gce-386
2019/03/24 08:43 upstream 1bdd3dbfff7a acbc5b7d .config console log report ci-upstream-kasan-gce-386
2019/03/24 07:35 upstream a5ed1e96cafd a2cef203 .config console log report ci-upstream-kasan-gce-386
2019/03/17 12:07 upstream a9dce6679d73 ba18afea .config console log report ci-upstream-kasan-gce-386
2019/03/17 00:18 upstream 9c7dc824d9a4 bab43553 .config console log report ci-upstream-kasan-gce-386
2019/03/15 18:39 upstream f261c4e529da bab43553 .config console log report ci-upstream-kasan-gce-386
2019/03/15 08:13 upstream 3b319ee220a8 d72db19b .config console log report ci-upstream-kasan-gce-386
2019/03/14 20:21 upstream 3b319ee220a8 d72db19b .config console log report ci-upstream-kasan-gce-386
2019/03/14 12:15 upstream fa3d493f7a57 d09a902e .config console log report ci-upstream-kasan-gce-386
2019/03/13 22:02 upstream ebc551f2b8f9 2881fc25 .config console log report ci-upstream-kasan-gce-386
2019/03/11 18:04 upstream 12ad143e1b80 12365b99 .config console log report ci-upstream-kasan-gce-386
2019/03/11 08:11 upstream 12ad143e1b80 12365b99 .config console log report ci-upstream-kasan-gce-386
2019/03/10 14:43 upstream 6cdc577a18a6 12365b99 .config console log report ci-upstream-kasan-gce-386
2019/03/10 02:24 upstream 38e7571c07be 12365b99 .config console log report ci-upstream-kasan-gce-386
2019/03/08 16:49 upstream 610cd4eadec4 12365b99 .config console log report ci-upstream-kasan-gce-386
2019/03/04 21:04 upstream 736706bee329 7c693b52 .config console log report ci-upstream-kasan-gce-386
2019/03/19 22:29 linux-next 75e6a83b189c e4549234 .config console log report ci-upstream-linux-next-kasan-gce-root
* Struck through repros no longer work on HEAD.