syzbot


KASAN: use-after-free Read in handle_tx

Status: auto-closed as invalid on 2022/05/12 13:20
Reported-by: syzbot+@syzkaller.appspotmail.com
First crash: 407d, last: 294d

Sample crash report:
BUG: KASAN: use-after-free in handle_tx+0x573/0x610 drivers/net/caif/caif_serial.c:236
Read of size 8 at addr ffff88801a26b018 by task aoe_tx0/1351

CPU: 0 PID: 1351 Comm: aoe_tx0 Not tainted 5.17.0-rc3-syzkaller-00116-gf1baf68e1383 #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
 print_address_description.constprop.0.cold+0x8d/0x303 mm/kasan/report.c:255
 __kasan_report mm/kasan/report.c:442 [inline]
 kasan_report.cold+0x83/0xdf mm/kasan/report.c:459
 handle_tx+0x573/0x610 drivers/net/caif/caif_serial.c:236
 __netdev_start_xmit include/linux/netdevice.h:4683 [inline]
 netdev_start_xmit include/linux/netdevice.h:4697 [inline]
 xmit_one net/core/dev.c:3473 [inline]
 dev_hard_start_xmit+0x1eb/0x920 net/core/dev.c:3489
 __dev_queue_xmit+0x2985/0x3660 net/core/dev.c:4116
 tx+0x68/0xb0 drivers/block/aoe/aoenet.c:63
 kthread+0x1e7/0x3b0 drivers/block/aoe/aoecmd.c:1230
 kthread+0x2e9/0x3a0 kernel/kthread.c:377
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
 </TASK>

Allocated by task 9171:
 kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
 kasan_set_track mm/kasan/common.c:45 [inline]
 set_alloc_info mm/kasan/common.c:436 [inline]
 ____kasan_kmalloc mm/kasan/common.c:515 [inline]
 ____kasan_kmalloc mm/kasan/common.c:474 [inline]
 __kasan_kmalloc+0xa6/0xd0 mm/kasan/common.c:524
 kasan_kmalloc include/linux/kasan.h:270 [inline]
 kmem_cache_alloc_trace+0x1ea/0x4a0 mm/slab.c:3567
 kmalloc include/linux/slab.h:581 [inline]
 kzalloc include/linux/slab.h:715 [inline]
 alloc_tty_struct+0x94/0x920 drivers/tty/tty_io.c:3091
 tty_init_dev.part.0+0x20/0x610 drivers/tty/tty_io.c:1412
 tty_init_dev include/linux/err.h:36 [inline]
 tty_open_by_driver drivers/tty/tty_io.c:2086 [inline]
 tty_open+0xb16/0x1000 drivers/tty/tty_io.c:2133
 chrdev_open+0x266/0x770 fs/char_dev.c:414
 do_dentry_open+0x4b9/0x1240 fs/open.c:824
 do_open fs/namei.c:3476 [inline]
 path_openat+0x1c9e/0x2940 fs/namei.c:3609
 do_filp_open+0x1aa/0x400 fs/namei.c:3636
 do_sys_openat2+0x16d/0x4d0 fs/open.c:1214
 do_sys_open fs/open.c:1230 [inline]
 __do_sys_openat fs/open.c:1246 [inline]
 __se_sys_openat fs/open.c:1241 [inline]
 __x64_sys_openat+0x13f/0x1f0 fs/open.c:1241
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae

Freed by task 3747:
 kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
 kasan_set_track+0x21/0x30 mm/kasan/common.c:45
 kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:370
 ____kasan_slab_free mm/kasan/common.c:366 [inline]
 ____kasan_slab_free mm/kasan/common.c:328 [inline]
 __kasan_slab_free+0xee/0x130 mm/kasan/common.c:374
 kasan_slab_free include/linux/kasan.h:236 [inline]
 __cache_free mm/slab.c:3437 [inline]
 kfree+0xf6/0x290 mm/slab.c:3794
 process_one_work+0x9ac/0x1650 kernel/workqueue.c:2307
 worker_thread+0x657/0x1110 kernel/workqueue.c:2454
 kthread+0x2e9/0x3a0 kernel/kthread.c:377
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295

Last potentially related work creation:
 kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
 __kasan_record_aux_stack+0x7e/0x90 mm/kasan/generic.c:348
 insert_work+0x48/0x370 kernel/workqueue.c:1368
 __queue_work+0x5ca/0xf30 kernel/workqueue.c:1534
 queue_work_on+0xee/0x110 kernel/workqueue.c:1562
 kref_put include/linux/kref.h:65 [inline]
 tty_kref_put drivers/tty/tty_io.c:1570 [inline]
 release_tty+0x4e9/0x610 drivers/tty/tty_io.c:1606
 tty_release_struct+0xb4/0xe0 drivers/tty/tty_io.c:1705
 tty_release+0xc70/0x1200 drivers/tty/tty_io.c:1865
 __fput+0x286/0x9f0 fs/file_table.c:313
 task_work_run+0xdd/0x1a0 kernel/task_work.c:164
 tracehook_notify_resume include/linux/tracehook.h:188 [inline]
 exit_to_user_mode_loop kernel/entry/common.c:175 [inline]
 exit_to_user_mode_prepare+0x27e/0x290 kernel/entry/common.c:207
 __syscall_exit_to_user_mode_work kernel/entry/common.c:289 [inline]
 syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:300
 do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86
 entry_SYSCALL_64_after_hwframe+0x44/0xae

Second to last potentially related work creation:
 kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
 __kasan_record_aux_stack+0x7e/0x90 mm/kasan/generic.c:348
 __call_rcu kernel/rcu/tree.c:3026 [inline]
 call_rcu+0xb1/0x740 kernel/rcu/tree.c:3106
 netlink_release+0xf08/0x1db0 net/netlink/af_netlink.c:813
 __sock_release+0xcd/0x280 net/socket.c:650
 sock_close+0x18/0x20 net/socket.c:1318
 __fput+0x286/0x9f0 fs/file_table.c:313
 task_work_run+0xdd/0x1a0 kernel/task_work.c:164
 tracehook_notify_resume include/linux/tracehook.h:188 [inline]
 exit_to_user_mode_loop kernel/entry/common.c:175 [inline]
 exit_to_user_mode_prepare+0x27e/0x290 kernel/entry/common.c:207
 __syscall_exit_to_user_mode_work kernel/entry/common.c:289 [inline]
 syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:300
 do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86
 entry_SYSCALL_64_after_hwframe+0x44/0xae

The buggy address belongs to the object at ffff88801a26b000
 which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 24 bytes inside of
 2048-byte region [ffff88801a26b000, ffff88801a26b800)
The buggy address belongs to the page:
page:ffffea0000689ac0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1a26b
flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000200 ffffea0000689908 ffffea0000689c08 ffff888010c40800
raw: 0000000000000000 ffff88801a26b000 0000000100000001 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2420c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_COMP|__GFP_THISNODE), pid 1, ts 13068116741, free_ts 0
 prep_new_page mm/page_alloc.c:2434 [inline]
 get_page_from_freelist+0xa72/0x2f50 mm/page_alloc.c:4165
 __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5389
 __alloc_pages_node include/linux/gfp.h:572 [inline]
 kmem_getpages mm/slab.c:1378 [inline]
 cache_grow_begin+0x75/0x350 mm/slab.c:2584
 cache_alloc_refill+0x27f/0x380 mm/slab.c:2957
 ____cache_alloc mm/slab.c:3040 [inline]
 ____cache_alloc mm/slab.c:3023 [inline]
 __do_cache_alloc mm/slab.c:3267 [inline]
 slab_alloc mm/slab.c:3308 [inline]
 kmem_cache_alloc_trace+0x380/0x4a0 mm/slab.c:3565
 kmalloc include/linux/slab.h:581 [inline]
 kzalloc include/linux/slab.h:715 [inline]
 device_create_groups_vargs+0x8a/0x280 drivers/base/core.c:4044
 device_create+0xdf/0x120 drivers/base/core.c:4104
 bdi_register_va.part.0+0x9c/0x800 mm/backing-dev.c:881
 bdi_register_va mm/backing-dev.c:916 [inline]
 bdi_register+0x12a/0x140 mm/backing-dev.c:913
 device_add_disk+0x7cb/0xd70 block/genhd.c:502
 add_disk include/linux/genhd.h:169 [inline]
 loop_add+0x71e/0x900 drivers/block/loop.c:2047
 loop_init+0x1f4/0x216 drivers/block/loop.c:2250
 do_one_initcall+0x103/0x650 init/main.c:1300
 do_initcall_level init/main.c:1373 [inline]
 do_initcalls init/main.c:1389 [inline]
 do_basic_setup init/main.c:1408 [inline]
 kernel_init_freeable+0x6b1/0x73a init/main.c:1613
 kernel_init+0x1a/0x1d0 init/main.c:1502
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
page_owner free stack trace missing

Memory state around the buggy address:
 ffff88801a26af00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88801a26af80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88801a26b000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                            ^
 ffff88801a26b080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88801a26b100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (15):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-qemu-upstream 2022/02/11 13:19 upstream f1baf68e1383 0b33604d .config log report info KASAN: use-after-free Read in handle_tx
ci-upstream-kasan-gce-root 2022/01/16 11:43 upstream d0a231f01e5b 723cfaf0 .config log report info KASAN: use-after-free Read in handle_tx
ci-upstream-kasan-gce-smack-root 2022/01/08 21:02 upstream d1587f7bfe9a 2ca0d385 .config log report info KASAN: use-after-free Read in handle_tx
ci-upstream-kasan-gce-selinux-root 2022/01/04 04:56 upstream c9e6606c7fe9 7f723fbe .config log report info KASAN: use-after-free Read in handle_tx
ci-upstream-kasan-gce-root 2021/12/22 03:12 upstream 2f47a9a4dfa3 6caa12e4 .config log report info KASAN: use-after-free Read in handle_tx
ci-qemu-upstream 2021/12/11 03:23 upstream 9e65da135b39 49ca1f59 .config log report info KASAN: use-after-free Read in handle_tx
ci-qemu-upstream 2021/12/10 16:04 upstream c741e49150db fc17c959 .config log report info KASAN: use-after-free Read in handle_tx
ci-qemu-upstream 2021/11/11 08:31 upstream debe436e77c7 75b04091 .config log report info KASAN: use-after-free Read in handle_tx
ci-qemu-upstream 2021/11/01 01:08 upstream 8bb7eca972ad 098b5d53 .config log report info KASAN: use-after-free Read in handle_tx
ci-qemu-upstream 2021/10/25 09:59 upstream 87066fdd2e30 4f0000ee .config log report info KASAN: use-after-free Read in handle_tx
ci-qemu-upstream-386 2021/11/29 01:36 upstream d06c942efea4 63eeac02 .config log report info KASAN: use-after-free Read in handle_tx
ci-qemu-upstream-386 2021/11/17 22:03 upstream ee1703cda8dc cafff8b6 .config log report info KASAN: use-after-free Read in handle_tx
ci-qemu-upstream-386 2021/10/21 14:14 upstream 2f111a6fd5b5 c5cb7da8 .config log report info KASAN: use-after-free Read in handle_tx
ci-upstream-linux-next-kasan-gce-root 2022/01/10 22:01 linux-next 57c149e506d5 ddb0ab8c .config log report info KASAN: use-after-free Read in handle_tx
ci-upstream-linux-next-kasan-gce-root 2022/01/04 18:42 linux-next 6b8d4927540e 0a2584dd .config log report info KASAN: use-after-free Read in handle_tx
* Struck through repros no longer work on HEAD.