syzbot


KASAN: use-after-free Read in sock_def_write_space (4)

Status: auto-closed as invalid on 2022/08/04 16:53
Reported-by: syzbot+@syzkaller.appspotmail.com
First crash: 381d, last: 213d
similar bugs (3):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: use-after-free Read in sock_def_write_space (3) 21 564d 801d 0/24 auto-closed as invalid on 2021/08/18 10:16
upstream KASAN: use-after-free Read in sock_def_write_space (2) C error 29 810d 867d 17/24 fixed on 2020/09/16 22:51
upstream KASAN: use-after-free Read in sock_def_write_space C done 67 868d 1234d 17/24 fixed on 2020/07/20 08:03

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in list_empty include/linux/list.h:292 [inline]
BUG: KASAN: use-after-free in waitqueue_active include/linux/wait.h:129 [inline]
BUG: KASAN: use-after-free in wq_has_sleeper include/linux/wait.h:163 [inline]
BUG: KASAN: use-after-free in skwq_has_sleeper include/net/sock.h:2294 [inline]
BUG: KASAN: use-after-free in sock_def_write_space+0x62e/0x640 net/core/sock.c:3164
Read of size 8 at addr ffff8880418e6980 by task syz-fuzzer/3594

CPU: 0 PID: 3594 Comm: syz-fuzzer Not tainted 5.17.0-rc7-syzkaller-00060-g92f90cc9fe0e #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
 print_address_description.constprop.0.cold+0x8d/0x303 mm/kasan/report.c:255
 __kasan_report mm/kasan/report.c:442 [inline]
 kasan_report.cold+0x83/0xdf mm/kasan/report.c:459
 list_empty include/linux/list.h:292 [inline]
 waitqueue_active include/linux/wait.h:129 [inline]
 wq_has_sleeper include/linux/wait.h:163 [inline]
 skwq_has_sleeper include/net/sock.h:2294 [inline]
 sock_def_write_space+0x62e/0x640 net/core/sock.c:3164
 sock_wfree+0x1cc/0x240 net/core/sock.c:2296
 skb_release_head_state+0x9f/0x2a0 net/core/skbuff.c:729
 skb_release_all net/core/skbuff.c:740 [inline]
 napi_consume_skb+0x1b5/0x340 net/core/skbuff.c:992
 free_old_xmit_skbs+0xe4/0x270 drivers/net/virtio_net.c:1484
 virtnet_poll_tx+0x21d/0x5d0 drivers/net/virtio_net.c:1619
 __napi_poll+0xb3/0x6e0 net/core/dev.c:6365
 napi_poll net/core/dev.c:6432 [inline]
 net_rx_action+0x801/0xb40 net/core/dev.c:6519
 __do_softirq+0x29b/0x9c2 kernel/softirq.c:558
 invoke_softirq kernel/softirq.c:432 [inline]
 __irq_exit_rcu+0x123/0x180 kernel/softirq.c:637
 irq_exit_rcu+0x5/0x20 kernel/softirq.c:649
 common_interrupt+0x52/0xc0 arch/x86/kernel/irq.c:240
 asm_common_interrupt+0x1e/0x40 arch/x86/include/asm/idtentry.h:629
RIP: 0033:0x5145a0
Code: e8 c5 e5 f4 ff 48 8b 44 24 08 48 8b 5c 24 10 48 8b 4c 24 18 48 8b 7c 24 20 e9 cc fe ff ff cc cc cc cc cc cc cc cc cc cc cc cc <49> 3b 66 10 0f 86 e4 01 00 00 48 83 c4 80 48 89 6c 24 78 48 8d 6c
RSP: 002b:000000c001fbea30 EFLAGS: 00000286
RAX: 00000000008ac2d8 RBX: 000000c01bf5c980 RCX: 000000c01bde6c00
RDX: 000000c001fbf0f0 RSI: 00000000005145a0 RDI: 000000c001fbf0f0
RBP: 000000c001fbebb0 R08: 000000c01bf5f1b0 R09: 0000000000000008
R10: 00000000008ac2d8 R11: 000000c01bf5c980 R12: 000000c001fbeab8
R13: 0000000000000000 R14: 000000c00d9ba1a0 R15: 00007f5f1a6a6362
 </TASK>

Allocated by task 26613:
 kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
 kasan_set_track mm/kasan/common.c:45 [inline]
 set_alloc_info mm/kasan/common.c:436 [inline]
 __kasan_slab_alloc+0x85/0xb0 mm/kasan/common.c:469
 kasan_slab_alloc include/linux/kasan.h:260 [inline]
 slab_post_alloc_hook mm/slab.h:732 [inline]
 slab_alloc mm/slab.c:3315 [inline]
 kmem_cache_alloc+0x1bc/0x560 mm/slab.c:3499
 sock_alloc_inode+0x18/0x1c0 net/socket.c:304
 alloc_inode+0x61/0x230 fs/inode.c:260
 new_inode_pseudo+0x14/0xe0 fs/inode.c:1018
 sock_alloc+0x3c/0x260 net/socket.c:627
 __sock_create+0xb9/0x790 net/socket.c:1432
 sock_create net/socket.c:1519 [inline]
 __sys_socket+0xef/0x200 net/socket.c:1561
 __do_sys_socket net/socket.c:1570 [inline]
 __se_sys_socket net/socket.c:1568 [inline]
 __x64_sys_socket+0x6f/0xb0 net/socket.c:1568
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae

Freed by task 3595:
 kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
 kasan_set_track+0x21/0x30 mm/kasan/common.c:45
 kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:370
 ____kasan_slab_free mm/kasan/common.c:366 [inline]
 ____kasan_slab_free+0xff/0x140 mm/kasan/common.c:328
 kasan_slab_free include/linux/kasan.h:236 [inline]
 __cache_free mm/slab.c:3437 [inline]
 kmem_cache_free.part.0+0x91/0x200 mm/slab.c:3733
 i_callback+0x3f/0x70 fs/inode.c:249
 rcu_do_batch kernel/rcu/tree.c:2527 [inline]
 rcu_core+0x7b1/0x1820 kernel/rcu/tree.c:2778
 __do_softirq+0x29b/0x9c2 kernel/softirq.c:558

Last potentially related work creation:
 kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
 __kasan_record_aux_stack+0x7e/0x90 mm/kasan/generic.c:348
 __call_rcu kernel/rcu/tree.c:3026 [inline]
 call_rcu+0xb1/0x740 kernel/rcu/tree.c:3106
 destroy_inode+0x129/0x1b0 fs/inode.c:315
 iput_final fs/inode.c:1744 [inline]
 iput.part.0+0x562/0x820 fs/inode.c:1770
 iput+0x58/0x70 fs/inode.c:1760
 dentry_unlink_inode+0x2b1/0x460 fs/dcache.c:401
 __dentry_kill+0x3c0/0x640 fs/dcache.c:607
 dentry_kill fs/dcache.c:733 [inline]
 dput+0x806/0xdb0 fs/dcache.c:913
 __fput+0x3ab/0x9f0 fs/file_table.c:330
 task_work_run+0xdd/0x1a0 kernel/task_work.c:164
 tracehook_notify_resume include/linux/tracehook.h:188 [inline]
 exit_to_user_mode_loop kernel/entry/common.c:175 [inline]
 exit_to_user_mode_prepare+0x27e/0x290 kernel/entry/common.c:207
 __syscall_exit_to_user_mode_work kernel/entry/common.c:289 [inline]
 syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:300
 do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86
 entry_SYSCALL_64_after_hwframe+0x44/0xae

Second to last potentially related work creation:
 kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
 __kasan_record_aux_stack+0x7e/0x90 mm/kasan/generic.c:348
 __call_rcu kernel/rcu/tree.c:3026 [inline]
 call_rcu+0xb1/0x740 kernel/rcu/tree.c:3106
 destroy_inode+0x129/0x1b0 fs/inode.c:315
 iput_final fs/inode.c:1744 [inline]
 iput.part.0+0x562/0x820 fs/inode.c:1770
 iput+0x58/0x70 fs/inode.c:1760
 dentry_unlink_inode+0x2b1/0x460 fs/dcache.c:401
 __dentry_kill+0x3c0/0x640 fs/dcache.c:607
 dentry_kill fs/dcache.c:733 [inline]
 dput+0x806/0xdb0 fs/dcache.c:913
 __fput+0x3ab/0x9f0 fs/file_table.c:330
 task_work_run+0xdd/0x1a0 kernel/task_work.c:164
 exit_task_work include/linux/task_work.h:32 [inline]
 do_exit+0xb29/0x2a30 kernel/exit.c:806
 do_group_exit+0xd2/0x2f0 kernel/exit.c:935
 get_signal+0x45a/0x2490 kernel/signal.c:2863
 arch_do_signal_or_restart+0x2a9/0x1c40 arch/x86/kernel/signal.c:868
 handle_signal_work kernel/entry/common.c:148 [inline]
 exit_to_user_mode_loop kernel/entry/common.c:172 [inline]
 exit_to_user_mode_prepare+0x17d/0x290 kernel/entry/common.c:207
 __syscall_exit_to_user_mode_work kernel/entry/common.c:289 [inline]
 syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:300
 do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86
 entry_SYSCALL_64_after_hwframe+0x44/0xae

The buggy address belongs to the object at ffff8880418e6900
 which belongs to the cache sock_inode_cache of size 1408
The buggy address is located 128 bytes inside of
 1408-byte region [ffff8880418e6900, ffff8880418e6e80)
The buggy address belongs to the page:
page:ffffea0001063980 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff8880418e6ffe pfn:0x418e6
memcg:ffff888072ed2601
flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000200 ffffea0001063448 ffffea0000a77dc8 ffff8881400a2f00
raw: ffff8880418e6ffe ffff8880418e6300 0000000100000002 ffff888072ed2601
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Reclaimable, gfp_mask 0x2420d0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_COMP|__GFP_THISNODE|__GFP_RECLAIMABLE), pid 3626, ts 166187873411, free_ts 11772526302
 prep_new_page mm/page_alloc.c:2434 [inline]
 get_page_from_freelist+0xa72/0x2f50 mm/page_alloc.c:4165
 __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5389
 __alloc_pages_node include/linux/gfp.h:572 [inline]
 kmem_getpages mm/slab.c:1378 [inline]
 cache_grow_begin+0x75/0x390 mm/slab.c:2584
 cache_alloc_refill+0x27f/0x380 mm/slab.c:2957
 ____cache_alloc mm/slab.c:3040 [inline]
 ____cache_alloc mm/slab.c:3023 [inline]
 __do_cache_alloc mm/slab.c:3267 [inline]
 slab_alloc mm/slab.c:3308 [inline]
 kmem_cache_alloc+0x450/0x560 mm/slab.c:3499
 sock_alloc_inode+0x18/0x1c0 net/socket.c:304
 alloc_inode+0x61/0x230 fs/inode.c:260
 new_inode_pseudo+0x14/0xe0 fs/inode.c:1018
 sock_alloc+0x3c/0x260 net/socket.c:627
 __sock_create+0xb9/0x790 net/socket.c:1432
 sock_create net/socket.c:1519 [inline]
 __sys_socket+0xef/0x200 net/socket.c:1561
 __do_sys_socket net/socket.c:1570 [inline]
 __se_sys_socket net/socket.c:1568 [inline]
 __x64_sys_socket+0x6f/0xb0 net/socket.c:1568
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1352 [inline]
 free_pcp_prepare+0x374/0x870 mm/page_alloc.c:1404
 free_unref_page_prepare mm/page_alloc.c:3325 [inline]
 free_unref_page+0x19/0x690 mm/page_alloc.c:3404
 free_contig_range+0xa8/0xf0 mm/page_alloc.c:9335
 destroy_args+0xa8/0x646 mm/debug_vm_pgtable.c:1018
 debug_vm_pgtable+0x298e/0x2a20 mm/debug_vm_pgtable.c:1332
 do_one_initcall+0x103/0x650 init/main.c:1300
 do_initcall_level init/main.c:1373 [inline]
 do_initcalls init/main.c:1389 [inline]
 do_basic_setup init/main.c:1408 [inline]
 kernel_init_freeable+0x6b1/0x73a init/main.c:1613
 kernel_init+0x1a/0x1d0 init/main.c:1502
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295

Memory state around the buggy address:
 ffff8880418e6880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8880418e6900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8880418e6980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                   ^
 ffff8880418e6a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8880418e6a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (7):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-upstream-kasan-gce-selinux-root 2022/03/09 04:02 upstream 92f90cc9fe0e 9e8eaa75 .config log report info KASAN: use-after-free Read in sock_def_write_space
ci-qemu-upstream 2021/12/12 09:00 upstream a763d5a5abd6 49ca1f59 .config log report info KASAN: use-after-free Read in sock_def_write_space
ci-qemu-upstream 2021/11/19 17:21 upstream 4c388a8e740d 3a9d0024 .config log report info KASAN: use-after-free Read in sock_def_write_space
ci-qemu-upstream-386 2021/12/31 08:01 upstream 9bad743e8d22 36bd2e48 .config log report info KASAN: use-after-free Read in sock_def_write_space
ci-upstream-net-this-kasan-gce 2022/05/06 16:52 net c88d3908516d e60b1103 .config log report info KASAN: use-after-free Read in sock_def_write_space
ci-upstream-net-kasan-gce 2022/04/26 20:16 net-next cc271ab86606 1fa34c1b .config log report info KASAN: use-after-free Read in sock_def_write_space
ci-upstream-net-kasan-gce 2022/01/14 09:42 net-next fe8152b38d3a b8d780ab .config log report info KASAN: use-after-free Read in sock_def_write_space
* Struck through repros no longer work on HEAD.