syzbot


KASAN: use-after-free Read in rxrpc_send_keepalive

Status: fixed on 2019/12/18 17:42
Reported-by: syzbot+627d7d265d56df07b8c7@syzkaller.appspotmail.com
Fix commit: 570ab0dd35f9 rxrpc: Fix call ref leak
First crash: 1684d, last: 1611d
Fix bisection: fixed by (bisect log) :
commit 570ab0dd35f95a2260d509c4108debd224fdfdf5
Author: David Howells <dhowells@redhat.com>
Date: Mon Oct 7 09:58:28 2019 +0000

  rxrpc: Fix call ref leak

  
Similar bugs (1)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: use-after-free Read in rxrpc_send_keepalive afs net C error 694 1620d 1692d 13/26 fixed on 2019/11/04 14:50

Sample crash report:
8021q: adding VLAN 0 to HW filter on device batadv0
==================================================================
BUG: KASAN: use-after-free in rxrpc_send_keepalive+0x83e/0x8e0 net/rxrpc/output.c:637
Read of size 8 at addr ffff88808fcfd218 by task kworker/1:2/3203

CPU: 1 PID: 3203 Comm: kworker/1:2 Not tainted 4.19.81 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: krxrpcd rxrpc_peer_keepalive_worker
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x172/0x1f0 lib/dump_stack.c:113
 print_address_description.cold+0x7c/0x20d mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report mm/kasan/report.c:412 [inline]
 kasan_report.cold+0x8c/0x2ba mm/kasan/report.c:396
 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
 rxrpc_send_keepalive+0x83e/0x8e0 net/rxrpc/output.c:637
 rxrpc_peer_keepalive_dispatch net/rxrpc/peer_event.c:366 [inline]
 rxrpc_peer_keepalive_worker+0x7be/0xd02 net/rxrpc/peer_event.c:427
 process_one_work+0x989/0x1750 kernel/workqueue.c:2153
 worker_thread+0x98/0xe40 kernel/workqueue.c:2296
 kthread+0x354/0x420 kernel/kthread.c:246
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415

Allocated by task 7369:
 save_stack+0x45/0xd0 mm/kasan/kasan.c:448
 set_track mm/kasan/kasan.c:460 [inline]
 kasan_kmalloc mm/kasan/kasan.c:553 [inline]
 kasan_kmalloc+0xce/0xf0 mm/kasan/kasan.c:531
 kmem_cache_alloc_trace+0x152/0x760 mm/slab.c:3625
 kmalloc include/linux/slab.h:515 [inline]
 syslog_print kernel/printk/printk.c:1302 [inline]
 do_syslog kernel/printk/printk.c:1470 [inline]
 do_syslog+0x9e7/0x1690 kernel/printk/printk.c:1444
 kmsg_read+0x8f/0xc0 fs/proc/kmsg.c:40
 proc_reg_read+0x1f8/0x2b0 fs/proc/inode.c:231
 __vfs_read+0x114/0x800 fs/read_write.c:416
 vfs_read+0x194/0x3d0 fs/read_write.c:452
 ksys_read+0x14f/0x2d0 fs/read_write.c:579
 __do_sys_read fs/read_write.c:589 [inline]
 __se_sys_read fs/read_write.c:587 [inline]
 __x64_sys_read+0x73/0xb0 fs/read_write.c:587
 do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 7369:
 save_stack+0x45/0xd0 mm/kasan/kasan.c:448
 set_track mm/kasan/kasan.c:460 [inline]
 __kasan_slab_free+0x102/0x150 mm/kasan/kasan.c:521
 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
 __cache_free mm/slab.c:3503 [inline]
 kfree+0xcf/0x220 mm/slab.c:3822
 syslog_print kernel/printk/printk.c:1353 [inline]
 do_syslog kernel/printk/printk.c:1470 [inline]
 do_syslog+0xcf2/0x1690 kernel/printk/printk.c:1444
 kmsg_read+0x8f/0xc0 fs/proc/kmsg.c:40
 proc_reg_read+0x1f8/0x2b0 fs/proc/inode.c:231
 __vfs_read+0x114/0x800 fs/read_write.c:416
 vfs_read+0x194/0x3d0 fs/read_write.c:452
 ksys_read+0x14f/0x2d0 fs/read_write.c:579
 __do_sys_read fs/read_write.c:589 [inline]
 __se_sys_read fs/read_write.c:587 [inline]
 __x64_sys_read+0x73/0xb0 fs/read_write.c:587
 do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at ffff88808fcfd200
 which belongs to the cache kmalloc-1024 of size 1024
The buggy address is located 24 bytes inside of
 1024-byte region [ffff88808fcfd200, ffff88808fcfd600)
The buggy address belongs to the page:
page:ffffea00023f3f00 count:1 mapcount:0 mapping:ffff88812c3f0ac0 index:0x0 compound_mapcount: 0
flags: 0x1fffc0000008100(slab|head)
raw: 01fffc0000008100 ffffea00023fc088 ffffea0001f47008 ffff88812c3f0ac0
raw: 0000000000000000 ffff88808fcfc000 0000000100000007 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88808fcfd100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88808fcfd180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88808fcfd200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                            ^
 ffff88808fcfd280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88808fcfd300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (6):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2019/10/29 22:44 linux-4.19.y ef244c308885 5ea87a66 .config console log report syz ci2-linux-4-19
2019/09/14 11:44 linux-4.19.y ee809c7e0895 32d59357 .config console log report syz ci2-linux-4-19
2019/10/29 21:09 linux-4.19.y ef244c308885 5ea87a66 .config console log report ci2-linux-4-19
2019/09/14 10:58 linux-4.19.y ee809c7e0895 32d59357 .config console log report ci2-linux-4-19
2019/08/22 10:55 linux-4.19.y a5aa80588fcd 4ea67ff8 .config console log report ci2-linux-4-19
2019/08/17 12:48 linux-4.19.y a5aa80588fcd 8fd428a1 .config console log report ci2-linux-4-19
* Struck through repros no longer work on HEAD.