syzbot


KASAN: use-after-free Read in ccid_hc_tx_delete

Status: upstream: reported C repro on 2018/08/27 17:10
Reported-by: syzbot+3967c1caf256f4d5aefe@syzkaller.appspotmail.com
First crash: 1501d, last: 1277d

Cause bisection: introduced by (bisect log) :
commit f04684b4d85d6371126f476d3268ebf6a0bd57cf
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date: Thu Jun 21 08:07:21 2018 +0000

  ALSA: lx6464es: Missing error code in snd_lx6464es_create()

Crash: KASAN: use-after-free Read in ccid_hc_tx_delete (log)
Repro: C syz .config

Fix bisection: fixed by (bisect log) [merge commit]:
commit d276709ce6c90b9eceecdbd01a0c083ab04d3a52
Author: Linus Torvalds <torvalds@linux-foundation.org>
Date: Wed Mar 6 21:33:11 2019 +0000

  Merge tag 'acpi-5.1-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm

duplicates (1):
Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
WARNING in kmem_cache_free (2) syz 13 1237d 1535d 0/24 closed as dup on 2018/10/11 08:07
Patch testing requests:
Created Duration User Patch Repo Result
2022/09/05 03:27 16m upstream OK log
2022/09/04 23:27 16m upstream OK log
2022/09/04 19:27 16m upstream OK log
2022/09/04 15:27 16m upstream OK log
2022/09/04 11:27 15m upstream OK log
2022/09/04 07:27 15m upstream OK log
2022/09/04 03:27 18m upstream OK log
2022/09/03 12:27 17m linux-next OK log
2022/09/03 09:27 16m linux-next OK log
2022/09/03 06:27 17m upstream OK log
2022/09/03 05:27 7m linux-next error
2022/09/03 00:27 16m upstream OK log
2022/09/03 00:27 15m linux-next OK log
2022/09/02 20:27 16m upstream OK log
2022/09/02 19:27 19m linux-next OK log
2022/09/02 18:27 16m upstream OK log
2022/09/02 16:27 16m upstream OK log
2022/09/02 14:27 16m upstream OK log
2022/09/02 12:27 18m upstream OK log
2022/09/02 11:27 14m upstream OK log
2022/09/02 08:27 13m upstream OK log
2022/09/02 07:27 14m upstream OK log
2022/09/02 05:27 13m upstream OK log
2022/09/02 04:27 13m upstream OK log
2022/09/02 01:27 16m upstream OK log
2022/09/02 00:27 14m upstream OK log
2022/09/01 21:27 13m upstream OK log
2022/09/01 18:27 16m upstream OK log
2022/09/01 01:27 12m upstream OK log
2022/08/31 22:27 13m upstream OK log
2022/08/31 18:27 14m upstream OK log
2022/08/31 15:27 14m upstream OK log
2022/08/31 11:27 13m upstream OK log
2022/08/31 08:27 13m upstream OK log
2022/08/31 05:27 16m upstream OK log

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in ccid_hc_tx_delete+0xde/0x100 net/dccp/ccid.c:188
Read of size 8 at addr ffff88808e09eb80 by task ksoftirqd/0/9

CPU: 0 PID: 9 Comm: ksoftirqd/0 Not tainted 5.0.0-rc8-next-20190301 #1
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x172/0x1f0 lib/dump_stack.c:113
 print_address_description.cold+0x7c/0x20d mm/kasan/report.c:187
 kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317
 __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:132
 ccid_hc_tx_delete+0xde/0x100 net/dccp/ccid.c:188
 dccp_sk_destruct+0x3f/0x90 net/dccp/proto.c:181
 __sk_destruct+0x55/0x6d0 net/core/sock.c:1685
 __rcu_reclaim kernel/rcu/rcu.h:227 [inline]
 rcu_do_batch kernel/rcu/tree.c:2475 [inline]
 invoke_rcu_callbacks kernel/rcu/tree.c:2788 [inline]
 rcu_core+0x928/0x1390 kernel/rcu/tree.c:2769
 __do_softirq+0x266/0x95a kernel/softirq.c:293
 run_ksoftirqd kernel/softirq.c:655 [inline]
 run_ksoftirqd+0x8e/0x110 kernel/softirq.c:647
 smpboot_thread_fn+0x6ab/0xa10 kernel/smpboot.c:164
 kthread+0x357/0x430 kernel/kthread.c:253
 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352

Allocated by task 7993:
 save_stack+0x45/0xd0 mm/kasan/common.c:75
 set_track mm/kasan/common.c:87 [inline]
 __kasan_kmalloc mm/kasan/common.c:497 [inline]
 __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:470
 kasan_slab_alloc+0xf/0x20 mm/kasan/common.c:505
 slab_post_alloc_hook mm/slab.h:436 [inline]
 slab_alloc mm/slab.c:3392 [inline]
 kmem_cache_alloc+0x11a/0x6f0 mm/slab.c:3554
 ccid_new+0x256/0x3f0 net/dccp/ccid.c:151
 dccp_hdlr_ccid+0x27/0x150 net/dccp/feat.c:44
 __dccp_feat_activate+0x17a/0x270 net/dccp/feat.c:344
 dccp_feat_activate_values+0x33a/0x766 net/dccp/feat.c:1538
 dccp_rcv_request_sent_state_process net/dccp/input.c:472 [inline]
 dccp_rcv_state_process+0x116f/0x1935 net/dccp/input.c:680
 dccp_v6_do_rcv+0x269/0xbf0 net/dccp/ipv6.c:641
 sk_backlog_rcv include/net/sock.h:937 [inline]
 __release_sock+0x12e/0x3a0 net/core/sock.c:2399
 release_sock+0x59/0x1c0 net/core/sock.c:2915
 inet_wait_for_connect net/ipv4/af_inet.c:588 [inline]
 __inet_stream_connect+0x59f/0xea0 net/ipv4/af_inet.c:680
 inet_stream_connect+0x58/0xa0 net/ipv4/af_inet.c:719
 __sys_connect+0x266/0x330 net/socket.c:1685
 __do_sys_connect net/socket.c:1696 [inline]
 __se_sys_connect net/socket.c:1693 [inline]
 __x64_sys_connect+0x73/0xb0 net/socket.c:1693
 do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 8004:
 save_stack+0x45/0xd0 mm/kasan/common.c:75
 set_track mm/kasan/common.c:87 [inline]
 __kasan_slab_free+0x102/0x150 mm/kasan/common.c:459
 kasan_slab_free+0xe/0x10 mm/kasan/common.c:467
 __cache_free mm/slab.c:3498 [inline]
 kmem_cache_free+0x86/0x260 mm/slab.c:3764
 ccid_hc_tx_delete+0xc1/0x100 net/dccp/ccid.c:190
 dccp_hdlr_ccid+0x7d/0x150 net/dccp/feat.c:53
 __dccp_feat_activate+0x17a/0x270 net/dccp/feat.c:344
 dccp_feat_activate_values+0x33a/0x766 net/dccp/feat.c:1538
 dccp_create_openreq_child+0x40c/0x570 net/dccp/minisocks.c:127
 dccp_v6_request_recv_sock+0x214/0x1da0 net/dccp/ipv6.c:469
 dccp_check_req+0x35c/0x6f0 net/dccp/minisocks.c:196
 dccp_v6_rcv+0x6d7/0x191e net/dccp/ipv6.c:747
 ip6_protocol_deliver_rcu+0x303/0x16c0 net/ipv6/ip6_input.c:394
 ip6_input_finish+0x84/0x170 net/ipv6/ip6_input.c:434
 NF_HOOK include/linux/netfilter.h:289 [inline]
 NF_HOOK include/linux/netfilter.h:283 [inline]
 ip6_input+0xe4/0x3f0 net/ipv6/ip6_input.c:443
 dst_input include/net/dst.h:450 [inline]
 ip6_rcv_finish+0x1e7/0x320 net/ipv6/ip6_input.c:76
 NF_HOOK include/linux/netfilter.h:289 [inline]
 NF_HOOK include/linux/netfilter.h:283 [inline]
 ipv6_rcv+0x10e/0x420 net/ipv6/ip6_input.c:272
 __netif_receive_skb_one_core+0x115/0x1a0 net/core/dev.c:4973
 __netif_receive_skb+0x2c/0x1c0 net/core/dev.c:5083
 process_backlog+0x206/0x750 net/core/dev.c:5923
 napi_poll net/core/dev.c:6346 [inline]
 net_rx_action+0x4fa/0x1070 net/core/dev.c:6412
 __do_softirq+0x266/0x95a kernel/softirq.c:293

The buggy address belongs to the object at ffff88808e09eb80
 which belongs to the cache ccid2_hc_tx_sock of size 1240
The buggy address is located 0 bytes inside of
 1240-byte region [ffff88808e09eb80, ffff88808e09f058)
The buggy address belongs to the page:
page:ffffea0002382780 count:1 mapcount:0 mapping:ffff8882168e8c00 index:0x0 compound_mapcount: 0
flags: 0x1fffc0000010200(slab|head)
raw: 01fffc0000010200 ffffea00022f5008 ffffea00022a7388 ffff8882168e8c00
raw: 0000000000000000 ffff88808e09e080 0000000100000005 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88808e09ea80: fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc
 ffff88808e09eb00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88808e09eb80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb

Crashes (354):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-upstream-linux-next-kasan-gce-root 2019/03/02 17:04 linux-next c63e9e91a254 1c0e457a .config log report syz
ci-upstream-kasan-gce-smack-root 2018/12/15 00:58 upstream eb6cf9f8cb9d 7624ddd6 .config log report syz C
ci-upstream-kasan-gce 2018/12/15 00:36 upstream eb6cf9f8cb9d 7624ddd6 .config log report syz C
ci-upstream-kasan-gce-root 2018/12/15 00:28 upstream eb6cf9f8cb9d 7624ddd6 .config log report syz C
ci-upstream-kasan-gce-selinux-root 2018/12/14 23:39 upstream eb6cf9f8cb9d 7624ddd6 .config log report syz C
ci-upstream-kasan-gce-386 2018/12/14 21:57 upstream eb6cf9f8cb9d 7624ddd6 .config log report syz C
ci-upstream-linux-next-kasan-gce-root 2018/12/23 08:35 linux-next 6648e120dd1a e3bd7ab8 .config log report syz C
ci-upstream-kasan-gce 2019/04/03 16:19 upstream a816fd6b49b6 dfd3394d .config log report syz
ci-upstream-kasan-gce-root 2019/04/02 22:51 upstream 5e7a8ca31926 dfd3394d .config log report syz
ci-upstream-kasan-gce-selinux-root 2019/04/02 00:34 upstream 5e7a8ca31926 a9ca43d4 .config log report syz
ci-upstream-kasan-gce-smack-root 2019/03/31 19:47 upstream b5c8314f0eba 0c624d4d .config log report syz
ci-upstream-kasan-gce-root 2019/03/02 22:20 upstream c93d9218ea56 1c0e457a .config log report syz
ci-upstream-kasan-gce 2019/03/02 17:05 upstream a215ce8f0e00 1c0e457a .config log report syz
ci-upstream-kasan-gce-selinux-root 2019/03/02 17:02 upstream a215ce8f0e00 1c0e457a .config log report syz
ci-upstream-kasan-gce-smack-root 2019/03/02 17:02 upstream a215ce8f0e00 1c0e457a .config log report syz
ci-upstream-kasan-gce-smack-root 2019/02/10 01:18 upstream e8b50608f666 d75f7686 .config log report syz
ci-upstream-kasan-gce-root 2019/02/10 00:27 upstream e8b50608f666 d75f7686 .config log report syz
ci-upstream-kasan-gce-selinux-root 2019/02/09 21:17 upstream 46c291e277f9 d75f7686 .config log report syz
ci-upstream-kasan-gce 2019/02/09 21:10 upstream 46c291e277f9 d75f7686 .config log report syz
ci-upstream-kasan-gce-root 2018/09/28 22:03 upstream ad0371482b1e 137d7c66 .config log report syz
ci-upstream-kasan-gce-smack-root 2018/09/28 21:11 upstream ad0371482b1e 137d7c66 .config log report syz
ci-upstream-kasan-gce-selinux-root 2018/09/28 20:49 upstream ad0371482b1e 137d7c66 .config log report syz
ci-upstream-kasan-gce 2018/08/28 01:20 upstream 050cdc6c9501 7ef1de9e .config log report syz
ci-upstream-kasan-gce-root 2018/08/28 00:51 upstream 050cdc6c9501 7ef1de9e .config log report syz
ci-upstream-kasan-gce-root 2018/08/27 12:34 upstream 5b394b2ddf03 758cd203 .config log report syz
ci-upstream-kasan-gce 2018/08/27 06:05 upstream aba16dc5cf93 758cd203 .config log report syz
ci-upstream-kasan-gce-386 2019/03/31 20:40 upstream b5c8314f0eba 0c624d4d .config log report syz
ci-upstream-kasan-gce-386 2019/03/02 16:27 upstream a215ce8f0e00 1c0e457a .config log report syz
ci-upstream-kasan-gce-386 2019/02/09 19:28 upstream 46c291e277f9 d75f7686 .config log report syz
ci-upstream-kasan-gce-386 2018/09/28 20:52 upstream ad0371482b1e 137d7c66 .config log report syz
ci-upstream-kasan-gce-386 2018/08/28 01:49 upstream 050cdc6c9501 7ef1de9e .config log report syz
ci-upstream-kasan-gce-386 2018/08/27 06:30 upstream aba16dc5cf93 758cd203 .config log report syz
ci-upstream-linux-next-kasan-gce-root 2019/04/08 11:20 linux-next ac5b84a1ffe9 c34fde03 .config log report syz
ci-upstream-linux-next-kasan-gce-root 2018/09/28 20:23 linux-next 4794a36bf08d 137d7c66 .config log report syz
ci-upstream-linux-next-kasan-gce-root 2018/08/27 06:27 linux-next ab6fc6ef2d8b 758cd203 .config log report syz
ci-upstream-kasan-gce-smack-root 2019/04/07 23:24 upstream 3b0468914708 c34fde03 .config log report
ci-upstream-kasan-gce-smack-root 2019/04/07 17:32 upstream 3b0468914708 c34fde03 .config log report
ci-upstream-kasan-gce-smack-root 2019/04/06 11:56 upstream f654f0fc0bd3 c34fde03 .config log report
ci-upstream-kasan-gce-smack-root 2019/04/03 05:56 upstream 5e7a8ca31926 dfd3394d .config log report
ci-upstream-kasan-gce-smack-root 2019/03/31 02:23 upstream 922c010cf236 0c624d4d .config log report
ci-upstream-kasan-gce-smack-root 2019/03/28 20:45 upstream 1a9df9e29c2a 14c58f8d .config log report
ci-upstream-kasan-gce-root 2019/03/28 03:40 upstream 1a9df9e29c2a f94f56fe .config log report
ci-upstream-kasan-gce 2019/03/26 16:07 upstream a3ac7917b730 55684ce1 .config log report
ci-upstream-kasan-gce-smack-root 2019/03/26 06:07 upstream 8c2ffd917477 55684ce1 .config log report
ci-upstream-kasan-gce 2019/03/25 16:08 upstream 8c2ffd917477 2c86e0a5 .config log report
ci-upstream-kasan-gce 2019/03/25 12:46 upstream 8c2ffd917477 2c86e0a5 .config log report
ci-upstream-kasan-gce-smack-root 2019/03/23 06:09 upstream fd1f297b794c 3361bde5 .config log report
ci-upstream-kasan-gce 2019/03/22 17:30 upstream 0939221e6468 dce6e62f .config log report
ci-upstream-kasan-gce-root 2019/03/22 12:51 upstream 0939221e6468 dce6e62f .config log report
ci-upstream-kasan-gce 2019/03/22 05:02 upstream 0939221e6468 dce6e62f .config log report
ci-upstream-kasan-gce-smack-root 2019/03/21 22:22 upstream 54c490164523 dce6e62f .config log report
ci-upstream-kasan-gce-selinux-root 2019/03/18 13:59 upstream 9e98c678c2d6 4656beca .config log report
ci-upstream-kasan-gce 2019/03/17 21:48 upstream 80b98e92ebcb ba18afea .config log report
ci-upstream-kasan-gce-root 2019/03/15 23:48 upstream 6c83d0d5eb62 bab43553 .config log report
ci-upstream-kasan-gce-selinux-root 2019/03/15 09:37 upstream f261c4e529da bab43553 .config log report
ci-upstream-kasan-gce-root 2019/03/14 14:55 upstream fa3d493f7a57 d09a902e .config log report
ci-upstream-kasan-gce-root 2019/03/14 04:28 upstream ebc551f2b8f9 2881fc25 .config log report
ci-upstream-kasan-gce-root 2019/03/10 03:42 upstream 6cdc577a18a6 12365b99 .config log report
ci-upstream-kasan-gce-smack-root 2019/03/09 04:09 upstream 3601fe43e816 12365b99 .config log report
ci-upstream-kasan-gce-root 2019/03/08 23:23 upstream 610cd4eadec4 12365b99 .config log report
ci-upstream-kasan-gce-root 2019/03/05 20:30 upstream 63bdf4284c38 16559f86 .config log report
ci-upstream-kasan-gce 2018/08/27 04:51 upstream aba16dc5cf93 758cd203 .config log report
ci-upstream-kasan-gce-386 2019/04/07 03:54 upstream faac51ddac45 c34fde03 .config log report
ci-upstream-kasan-gce-386 2019/04/04 23:03 upstream 145f47c7381d e5d1b3ac .config log report
ci-upstream-kasan-gce-386 2019/03/30 12:11 upstream 0e40da3efeb0 c35ee0ea .config log report
ci-upstream-kasan-gce-386 2019/03/24 08:43 upstream 1bdd3dbfff7a acbc5b7d .config log report
ci-upstream-kasan-gce-386 2019/03/24 07:35 upstream a5ed1e96cafd a2cef203 .config log report
ci-upstream-kasan-gce-386 2019/03/17 12:07 upstream a9dce6679d73 ba18afea .config log report
ci-upstream-kasan-gce-386 2019/03/17 00:18 upstream 9c7dc824d9a4 bab43553 .config log report
ci-upstream-kasan-gce-386 2019/03/15 18:39 upstream f261c4e529da bab43553 .config log report
ci-upstream-kasan-gce-386 2019/03/15 08:13 upstream 3b319ee220a8 d72db19b .config log report
ci-upstream-kasan-gce-386 2019/03/14 20:21 upstream 3b319ee220a8 d72db19b .config log report
ci-upstream-kasan-gce-386 2019/03/14 12:15 upstream fa3d493f7a57 d09a902e .config log report
ci-upstream-kasan-gce-386 2019/03/13 22:02 upstream ebc551f2b8f9 2881fc25 .config log report
ci-upstream-kasan-gce-386 2019/03/11 18:04 upstream 12ad143e1b80 12365b99 .config log report
ci-upstream-kasan-gce-386 2019/03/11 08:11 upstream 12ad143e1b80 12365b99 .config log report
ci-upstream-kasan-gce-386 2019/03/10 14:43 upstream 6cdc577a18a6 12365b99 .config log report
ci-upstream-kasan-gce-386 2019/03/10 02:24 upstream 38e7571c07be 12365b99 .config log report
ci-upstream-kasan-gce-386 2019/03/08 16:49 upstream 610cd4eadec4 12365b99 .config log report
ci-upstream-kasan-gce-386 2019/03/04 21:04 upstream 736706bee329 7c693b52 .config log report
ci-upstream-linux-next-kasan-gce-root 2019/03/19 22:29 linux-next 75e6a83b189c e4549234 .config log report
* Struck through repros no longer work on HEAD.