syzbot


KASAN: use-after-free Write in j1939_sock_pending_del

Status: fixed on 2023/08/10 11:20
Subsystems: can
[Documentation on labels]
Reported-by: syzbot+07bb74aeafc88ba7d5b4@syzkaller.appspotmail.com
Fix commit: fd81ebfe7975 can: j1939: socket: rework socket locking for j1939_sk_release() and j1939_sk_sendmsg()
First crash: 1596d, last: 1584d
Cause bisection: introduced by (bisect log) :
commit 9d71dd0c70099914fcd063135da3c580865e924c
Author: The j1939 authors <linux-can@vger.kernel.org>
Date: Mon Oct 8 09:48:36 2018 +0000

  can: add support of SAE J1939 protocol

Crash: KASAN: use-after-free Write in j1939_sock_pending_del (log)
Repro: syz .config
  
Fix bisection: failed (error log, bisect log)
  
Discussions (2)
Title Replies (including bot) Last reply
KASAN: use-after-free Write in j1939_sock_pending_del 1 (4) 2023/07/17 12:32
[PATCH v1 0/9] can: j1939: fix multiple issues found by syzbot 16 (16) 2019/11/13 10:04
Last patch testing requests (10)
Created Duration User Patch Repo Result
2023/03/29 05:32 19m retest repro upstream OK log
2023/03/29 03:32 19m retest repro upstream OK log
2023/03/22 12:32 18m retest repro net-next OK log
2022/12/19 03:31 14m retest repro upstream report log
2022/12/19 00:31 14m retest repro upstream report log
2022/12/17 07:31 12m retest repro upstream report log
2022/12/17 04:31 13m retest repro upstream report log
2022/12/15 11:31 14m retest repro upstream report log
2022/12/12 09:31 13m retest repro net-next-old report log
2022/09/10 00:27 10m retest repro upstream report log

Sample crash report:
vcan0: j1939_xtp_rx_abort_one: 0x0000000025764b47: 0x00000: (2) System resources were needed for another task so this connection managed session was terminated.
==================================================================
BUG: KASAN: use-after-free in atomic_sub_return include/asm-generic/atomic-instrumented.h:159 [inline]
BUG: KASAN: use-after-free in atomic_dec_return include/linux/atomic-fallback.h:455 [inline]
BUG: KASAN: use-after-free in j1939_sock_pending_del+0x20/0x70 net/can/j1939/socket.c:73
Write of size 4 at addr ffff888098acd4c0 by task ksoftirqd/0/9

CPU: 0 PID: 9 Comm: ksoftirqd/0 Not tainted 5.4.0-rc6+ #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1fb/0x318 lib/dump_stack.c:118
 print_address_description+0x75/0x5c0 mm/kasan/report.c:374
 __kasan_report+0x14b/0x1c0 mm/kasan/report.c:506
 kasan_report+0x26/0x50 mm/kasan/common.c:634
 check_memory_region_inline mm/kasan/generic.c:182 [inline]
 check_memory_region+0x2cf/0x2e0 mm/kasan/generic.c:192
 __kasan_check_write+0x14/0x20 mm/kasan/common.c:98
 atomic_sub_return include/asm-generic/atomic-instrumented.h:159 [inline]
 atomic_dec_return include/linux/atomic-fallback.h:455 [inline]
 j1939_sock_pending_del+0x20/0x70 net/can/j1939/socket.c:73
 __j1939_session_drop net/can/j1939/transport.c:257 [inline]
 j1939_session_destroy net/can/j1939/transport.c:270 [inline]
 __j1939_session_release net/can/j1939/transport.c:280 [inline]
 kref_put include/linux/kref.h:65 [inline]
 j1939_session_put+0xd2/0x150 net/can/j1939/transport.c:285
 j1939_xtp_rx_abort_one+0xd3/0x3f0 net/can/j1939/transport.c:1261
 j1939_xtp_rx_abort net/can/j1939/transport.c:1269 [inline]
 j1939_tp_cmd_recv net/can/j1939/transport.c:1940 [inline]
 j1939_tp_recv+0x633/0xb80 net/can/j1939/transport.c:1973
 j1939_can_recv+0x424/0x650 net/can/j1939/main.c:100
 deliver net/can/af_can.c:568 [inline]
 can_rcv_filter+0x3c0/0x8b0 net/can/af_can.c:602
 can_receive+0x2ac/0x3b0 net/can/af_can.c:659
 can_rcv+0xe4/0x220 net/can/af_can.c:685
 __netif_receive_skb_one_core net/core/dev.c:4929 [inline]
 __netif_receive_skb+0x136/0x370 net/core/dev.c:5043
 process_backlog+0x4d8/0x930 net/core/dev.c:5874
 napi_poll net/core/dev.c:6311 [inline]
 net_rx_action+0x5ef/0x10d0 net/core/dev.c:6379
 __do_softirq+0x333/0x7c4 arch/x86/include/asm/paravirt.h:766
 run_ksoftirqd+0x64/0xf0 kernel/softirq.c:603
 smpboot_thread_fn+0x5b3/0x9a0 kernel/smpboot.c:165
 kthread+0x332/0x350 kernel/kthread.c:255
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352

Allocated by task 8213:
 save_stack mm/kasan/common.c:69 [inline]
 set_track mm/kasan/common.c:77 [inline]
 __kasan_kmalloc+0x11c/0x1b0 mm/kasan/common.c:510
 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:524
 __do_kmalloc mm/slab.c:3655 [inline]
 __kmalloc+0x254/0x340 mm/slab.c:3664
 kmalloc include/linux/slab.h:561 [inline]
 sk_prot_alloc+0xb0/0x290 net/core/sock.c:1605
 sk_alloc+0x38/0x950 net/core/sock.c:1659
 can_create+0x1de/0x480 net/can/af_can.c:157
 __sock_create+0x5cc/0x910 net/socket.c:1418
 sock_create net/socket.c:1469 [inline]
 __sys_socket+0xe7/0x2e0 net/socket.c:1511
 __do_sys_socket net/socket.c:1520 [inline]
 __se_sys_socket net/socket.c:1518 [inline]
 __x64_sys_socket+0x7a/0x90 net/socket.c:1518
 do_syscall_64+0xf7/0x1c0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 9:
 save_stack mm/kasan/common.c:69 [inline]
 set_track mm/kasan/common.c:77 [inline]
 kasan_set_free_info mm/kasan/common.c:332 [inline]
 __kasan_slab_free+0x12a/0x1e0 mm/kasan/common.c:471
 kasan_slab_free+0xe/0x10 mm/kasan/common.c:480
 __cache_free mm/slab.c:3425 [inline]
 kfree+0x115/0x200 mm/slab.c:3756
 sk_prot_free net/core/sock.c:1642 [inline]
 __sk_destruct+0x523/0x620 net/core/sock.c:1726
 sk_destruct net/core/sock.c:1741 [inline]
 __sk_free+0x35d/0x430 net/core/sock.c:1752
 sock_wfree+0x106/0x140 net/core/sock.c:1968
 skb_release_head_state+0x100/0x210 net/core/skbuff.c:652
 skb_release_all net/core/skbuff.c:663 [inline]
 __kfree_skb+0x25/0x170 net/core/skbuff.c:679
 kfree_skb net/core/skbuff.c:697 [inline]
 skb_queue_purge+0x1a6/0x260 net/core/skbuff.c:3078
 j1939_session_destroy net/can/j1939/transport.c:269 [inline]
 __j1939_session_release net/can/j1939/transport.c:280 [inline]
 kref_put include/linux/kref.h:65 [inline]
 j1939_session_put+0x7f/0x150 net/can/j1939/transport.c:285
 j1939_xtp_rx_abort_one+0xd3/0x3f0 net/can/j1939/transport.c:1261
 j1939_xtp_rx_abort net/can/j1939/transport.c:1269 [inline]
 j1939_tp_cmd_recv net/can/j1939/transport.c:1940 [inline]
 j1939_tp_recv+0x633/0xb80 net/can/j1939/transport.c:1973
 j1939_can_recv+0x424/0x650 net/can/j1939/main.c:100
 deliver net/can/af_can.c:568 [inline]
 can_rcv_filter+0x3c0/0x8b0 net/can/af_can.c:602
 can_receive+0x2ac/0x3b0 net/can/af_can.c:659
 can_rcv+0xe4/0x220 net/can/af_can.c:685
 __netif_receive_skb_one_core net/core/dev.c:4929 [inline]
 __netif_receive_skb+0x136/0x370 net/core/dev.c:5043
 process_backlog+0x4d8/0x930 net/core/dev.c:5874
 napi_poll net/core/dev.c:6311 [inline]
 net_rx_action+0x5ef/0x10d0 net/core/dev.c:6379
 __do_softirq+0x333/0x7c4 arch/x86/include/asm/paravirt.h:766

The buggy address belongs to the object at ffff888098acd000
 which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 1216 bytes inside of
 2048-byte region [ffff888098acd000, ffff888098acd800)
The buggy address belongs to the page:
page:ffffea000262b340 refcount:1 mapcount:0 mapping:ffff8880aa400e00 index:0x0
flags: 0x1fffc0000000200(slab)
raw: 01fffc0000000200 ffffea00024fb808 ffffea000261e548 ffff8880aa400e00
raw: 0000000000000000 ffff888098acd000 0000000100000001 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff888098acd380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888098acd400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888098acd480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                           ^
 ffff888098acd500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888098acd580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (17):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2019/11/07 10:18 upstream 4dd58158254c d797d201 .config console log report syz ci-upstream-kasan-gce-smack-root
2019/11/05 11:01 upstream a99d8080aaf3 76630fc9 .config console log report syz ci-upstream-kasan-gce
2019/11/05 03:13 upstream a99d8080aaf3 76630fc9 .config console log report syz ci-upstream-kasan-gce-smack-root
2019/11/07 14:54 upstream 4dd58158254c d797d201 .config console log report syz ci-upstream-kasan-gce-root
2019/11/06 01:27 upstream a99d8080aaf3 0f3ec414 .config console log report syz ci-upstream-kasan-gce-root
2019/11/05 03:46 net-next-old 1574cf83c7a0 76630fc9 .config console log report syz ci-upstream-net-kasan-gce
2019/11/17 03:29 upstream 6c9594bdd474 d5696d51 .config console log report ci-upstream-kasan-gce-root
2019/11/15 15:52 upstream 96b95eff4a59 cdac920b .config console log report ci-upstream-kasan-gce-root
2019/11/12 06:59 upstream de620fb99ef2 048f2d49 .config console log report ci-upstream-kasan-gce
2019/11/11 19:25 upstream 31f4f5b495a6 048f2d49 .config console log report ci-upstream-kasan-gce-smack-root
2019/11/11 11:29 upstream 9805a68371ce dc438b91 .config console log report ci-upstream-kasan-gce-smack-root
2019/11/11 10:15 upstream 9805a68371ce dc438b91 .config console log report ci-upstream-kasan-gce-selinux-root
2019/11/06 03:50 upstream 26bc67213424 bc2c6e45 .config console log report ci-upstream-kasan-gce-root
2019/11/06 00:59 upstream a99d8080aaf3 0f3ec414 .config console log report ci-upstream-kasan-gce-root
2019/11/16 16:55 net-next-old 20021578ba22 d5696d51 .config console log report ci-upstream-net-kasan-gce
2019/11/10 21:14 net-next-old 7941af9b38fa dc438b91 .config console log report ci-upstream-net-kasan-gce
2019/11/09 01:13 linux-next 5591cf003452 dc438b91 .config console log report ci-upstream-linux-next-kasan-gce-root
* Struck through repros no longer work on HEAD.