syzbot


KASAN: use-after-free Read in cma_cancel_operation

Status: upstream: reported C repro on 2019/12/19 22:41
Reported-by: syzbot+7666be8c0fedfc221184@syzkaller.appspotmail.com
First crash: 1011d, last: 3d04h

Fix bisection: the fix commit could be any of (bisect log):
  4520f06b03ae Linux 4.14.175
  56dfe6252c68 Linux 4.14.188
similar bugs (2):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.19 KASAN: use-after-free Read in cma_cancel_operation C done 6 908d 1058d 1/1 fixed on 2020/05/01 08:27
upstream KASAN: use-after-free Read in cma_cancel_operation C done 617 957d 1637d 17/24 fixed on 2020/05/10 10:42

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in __list_del_entry_valid+0xd6/0xef lib/list_debug.c:54
Read of size 8 at addr ffff888091a6d3e0 by task syz-executor194/9051

CPU: 1 PID: 9051 Comm: syz-executor194 Not tainted 4.14.175-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x13e/0x194 lib/dump_stack.c:58
 print_address_description.cold+0x7c/0x1e2 mm/kasan/report.c:252
 kasan_report_error mm/kasan/report.c:351 [inline]
 kasan_report mm/kasan/report.c:409 [inline]
 kasan_report.cold+0xa9/0x2ae mm/kasan/report.c:393
 __list_del_entry_valid+0xd6/0xef lib/list_debug.c:54
 __list_del_entry include/linux/list.h:117 [inline]
 list_del include/linux/list.h:125 [inline]
 cma_cancel_listens drivers/infiniband/core/cma.c:1603 [inline]
 cma_cancel_operation drivers/infiniband/core/cma.c:1631 [inline]
 cma_cancel_operation+0x280/0x940 drivers/infiniband/core/cma.c:1619
 rdma_destroy_id+0x8b/0xb50 drivers/infiniband/core/cma.c:1695
 ucma_close+0x105/0x300 drivers/infiniband/core/ucma.c:1753
 __fput+0x25f/0x790 fs/file_table.c:210
 task_work_run+0x113/0x190 kernel/task_work.c:113
 exit_task_work include/linux/task_work.h:22 [inline]
 do_exit+0x9f2/0x2b00 kernel/exit.c:858
 do_group_exit+0x100/0x310 kernel/exit.c:955
 get_signal+0x385/0x1ca0 kernel/signal.c:2423
 do_signal+0x7c/0x1690 arch/x86/kernel/signal.c:814
 exit_to_usermode_loop+0x159/0x220 arch/x86/entry/common.c:160
 prepare_exit_to_usermode arch/x86/entry/common.c:199 [inline]
 syscall_return_slowpath arch/x86/entry/common.c:270 [inline]
 do_syscall_64+0x4a3/0x640 arch/x86/entry/common.c:297
 entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x4469d9
RSP: 002b:00007fec14272d08 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 00000000006dbc48 RCX: 00000000004469d9
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00000000006dbc48
RBP: 00000000006dbc40 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dbc4c
R13: 00007fec14272d10 R14: 00007fec14272d10 R15: 0000000000000000

Allocated by task 9051:
 save_stack+0x32/0xa0 mm/kasan/kasan.c:447
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_kmalloc mm/kasan/kasan.c:551 [inline]
 kasan_kmalloc+0xbf/0xe0 mm/kasan/kasan.c:529
 kmem_cache_alloc_trace+0x14d/0x7b0 mm/slab.c:3618
 kmalloc include/linux/slab.h:488 [inline]
 kzalloc include/linux/slab.h:661 [inline]
 rdma_create_id+0x57/0x4c0 drivers/infiniband/core/cma.c:790
 ucma_create_id+0x18b/0x500 drivers/infiniband/core/ucma.c:484
 ucma_write+0x206/0x2c0 drivers/infiniband/core/ucma.c:1672
 __vfs_write+0xe4/0x630 fs/read_write.c:480
 vfs_write+0x192/0x4e0 fs/read_write.c:544
 SYSC_write fs/read_write.c:590 [inline]
 SyS_write+0xf2/0x210 fs/read_write.c:582
 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x42/0xb7

Freed by task 9051:
 save_stack+0x32/0xa0 mm/kasan/kasan.c:447
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_slab_free+0x75/0xc0 mm/kasan/kasan.c:524
 __cache_free mm/slab.c:3496 [inline]
 kfree+0xcb/0x260 mm/slab.c:3815
 ucma_close+0x105/0x300 drivers/infiniband/core/ucma.c:1753
 __fput+0x25f/0x790 fs/file_table.c:210
 task_work_run+0x113/0x190 kernel/task_work.c:113
 exit_task_work include/linux/task_work.h:22 [inline]
 do_exit+0x9f2/0x2b00 kernel/exit.c:858
 do_group_exit+0x100/0x310 kernel/exit.c:955
 get_signal+0x385/0x1ca0 kernel/signal.c:2423
 do_signal+0x7c/0x1690 arch/x86/kernel/signal.c:814
 exit_to_usermode_loop+0x159/0x220 arch/x86/entry/common.c:160
 prepare_exit_to_usermode arch/x86/entry/common.c:199 [inline]
 syscall_return_slowpath arch/x86/entry/common.c:270 [inline]
 do_syscall_64+0x4a3/0x640 arch/x86/entry/common.c:297
 entry_SYSCALL_64_after_hwframe+0x42/0xb7

The buggy address belongs to the object at ffff888091a6d200
 which belongs to the cache kmalloc-1024 of size 1024
The buggy address is located 480 bytes inside of
 1024-byte region [ffff888091a6d200, ffff888091a6d600)
The buggy address belongs to the page:
page:ffffea0002469b00 count:1 mapcount:0 mapping:ffff888091a6c000 index:0x0 compound_mapcount: 0
flags: 0xfffe0000008100(slab|head)
raw: 00fffe0000008100 ffff888091a6c000 0000000000000000 0000000100000007
raw: ffffea0002446e20 ffff88812fe54848 ffff88812fe56ac0 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff888091a6d280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888091a6d300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888091a6d380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                       ^
 ffff888091a6d400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888091a6d480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (49):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci2-linux-4-14 2020/04/12 17:54 linux-4.14.y 4520f06b03ae 36b0b050 .config log report syz C
ci2-linux-4-14 2022/09/23 12:36 linux-4.14.y 4edbf74132a4 0042f2b4 .config log report info KASAN: use-after-free Read in cma_cancel_operation
ci2-linux-4-14 2022/09/17 18:09 linux-4.14.y 5df8b4735177 dd9a85ff .config log report info KASAN: use-after-free Read in cma_cancel_operation
ci2-linux-4-14 2022/09/08 20:58 linux-4.14.y 65640c873dcf f3027468 .config log report info KASAN: use-after-free Read in cma_cancel_operation
ci2-linux-4-14 2022/09/06 20:05 linux-4.14.y 65640c873dcf 65aea2b9 .config log report info KASAN: use-after-free Read in cma_cancel_operation
ci2-linux-4-14 2022/08/15 02:29 linux-4.14.y b641242202ed 8dfcaa3d .config log report info KASAN: use-after-free Read in cma_cancel_operation
ci2-linux-4-14 2022/08/05 02:20 linux-4.14.y b641242202ed 1c9013ac .config log report info KASAN: use-after-free Read in cma_cancel_operation
ci2-linux-4-14 2022/08/03 20:59 linux-4.14.y b641242202ed 1c9013ac .config log report info KASAN: use-after-free Read in cma_cancel_operation
ci2-linux-4-14 2022/08/03 16:12 linux-4.14.y b641242202ed 1c9013ac .config log report info KASAN: use-after-free Read in cma_cancel_operation
ci2-linux-4-14 2022/08/02 18:55 linux-4.14.y b641242202ed fef302b1 .config log report info KASAN: use-after-free Read in cma_cancel_operation
ci2-linux-4-14 2022/07/04 05:39 linux-4.14.y ed2e96e11936 1434eec0 .config log report info KASAN: use-after-free Read in cma_cancel_operation
ci2-linux-4-14 2022/07/04 00:38 linux-4.14.y ed2e96e11936 1434eec0 .config log report info KASAN: use-after-free Read in cma_cancel_operation
ci2-linux-4-14 2022/07/02 04:09 linux-4.14.y f051383ef03b 1434eec0 .config log report info KASAN: use-after-free Read in cma_cancel_operation
ci2-linux-4-14 2022/06/26 23:49 linux-4.14.y f051383ef03b a371c43c .config log report info KASAN: use-after-free Read in cma_cancel_operation
ci2-linux-4-14 2022/06/24 04:28 linux-4.14.y 84bae26850e3 912f5df7 .config log report info KASAN: use-after-free Read in cma_cancel_operation
ci2-linux-4-14 2022/06/09 17:45 linux-4.14.y b8f3be299d51 0d5abf15 .config log report info KASAN: use-after-free Read in cma_cancel_operation
ci2-linux-4-14 2022/05/29 08:40 linux-4.14.y 501eec4f9e13 a46af346 .config log report info KASAN: use-after-free Read in cma_cancel_operation
ci2-linux-4-14 2022/04/28 11:24 linux-4.14.y e3a56aaade89 8a1f1f07 .config log report info KASAN: use-after-free Read in cma_cancel_operation
ci2-linux-4-14 2022/04/26 13:59 linux-4.14.y 15a1c6b6f516 1fa34c1b .config log report info KASAN: use-after-free Read in cma_cancel_operation
ci2-linux-4-14 2022/04/21 05:02 linux-4.14.y 15a1c6b6f516 d4befee1 .config log report info KASAN: use-after-free Read in cma_cancel_operation
ci2-linux-4-14 2022/04/01 08:20 linux-4.14.y af1af6ebca0e 68fc921a .config log report info KASAN: use-after-free Read in cma_cancel_operation
ci2-linux-4-14 2022/03/06 15:09 linux-4.14.y e853993d29aa 7bdd8b2c .config log report info KASAN: use-after-free Read in cma_cancel_operation
ci2-linux-4-14 2022/03/03 06:21 linux-4.14.y e853993d29aa 45a13a73 .config log report info KASAN: use-after-free Read in cma_cancel_operation
ci2-linux-4-14 2022/02/28 15:36 linux-4.14.y fa33f9094f36 45a13a73 .config log report info KASAN: use-after-free Read in cma_cancel_operation
ci2-linux-4-14 2021/12/30 17:56 linux-4.14.y a6ca7c65b137 2e49f10d .config log report info KASAN: use-after-free Read in cma_cancel_operation
ci2-linux-4-14 2021/12/11 08:17 linux-4.14.y c01d4d1b885d 49ca1f59 .config log report info KASAN: use-after-free Read in cma_cancel_operation
ci2-linux-4-14 2021/05/14 16:47 linux-4.14.y 7d7d1c0ab3eb 8bdd5343 .config log report info KASAN: use-after-free Read in cma_cancel_operation
ci2-linux-4-14 2021/04/30 17:21 linux-4.14.y 7d7d1c0ab3eb 77e2b668 .config log report info KASAN: use-after-free Read in cma_cancel_operation
ci2-linux-4-14 2021/04/30 08:46 linux-4.14.y 7d7d1c0ab3eb 77e2b668 .config log report info KASAN: use-after-free Read in cma_cancel_operation
ci2-linux-4-14 2021/04/27 12:31 linux-4.14.y cf256fbcbe34 805b5003 .config log report info KASAN: use-after-free Read in cma_cancel_operation
ci2-linux-4-14 2021/04/09 10:16 linux-4.14.y 0cc244011f40 6a81331a .config log report info KASAN: use-after-free Read in cma_cancel_operation
ci2-linux-4-14 2021/03/10 21:34 linux-4.14.y 1d177c0872ab 764067f3 .config log report info KASAN: use-after-free Read in cma_cancel_operation
ci2-linux-4-14 2021/03/09 00:17 linux-4.14.y 1d177c0872ab 09fbf400 .config log report info KASAN: use-after-free Read in cma_cancel_operation
ci2-linux-4-14 2021/03/06 00:57 linux-4.14.y 397a88b2cc86 4a024a9b .config log report info KASAN: use-after-free Read in cma_cancel_operation
ci2-linux-4-14 2021/02/01 06:23 linux-4.14.y 2c8a3fceddf0 fc9fd31e .config log report info KASAN: use-after-free Read in cma_cancel_operation
ci2-linux-4-14 2021/01/30 17:56 linux-4.14.y 2c8a3fceddf0 fc9fd31e .config log report info KASAN: use-after-free Read in cma_cancel_operation
ci2-linux-4-14 2021/01/19 01:46 linux-4.14.y 2762b48e9611 63631df1 .config log report info KASAN: use-after-free Read in cma_cancel_operation
ci2-linux-4-14 2021/01/09 17:04 linux-4.14.y ec822b3e8bf4 a6c52263 .config log report info
ci2-linux-4-14 2020/12/18 08:49 linux-4.14.y 3f2ecb86cb90 04201c06 .config log report info
ci2-linux-4-14 2020/08/01 15:03 linux-4.14.y 7f2c5eb458b8 8df85ed9 .config log report
ci2-linux-4-14 2020/05/15 22:02 linux-4.14.y ab9dfda23248 d7f9fffa .config log report
ci2-linux-4-14 2020/04/30 05:49 linux-4.14.y 050272a0423e 2dd552a5 .config log report
ci2-linux-4-14 2020/04/30 01:17 linux-4.14.y 050272a0423e 2dd552a5 .config log report
ci2-linux-4-14 2019/12/31 12:51 linux-4.14.y 4c5bf01e16a7 7f117e28 .config log report
ci2-linux-4-14 2019/12/30 11:29 linux-4.14.y e1f7d50ae3a3 af6b8ef8 .config log report
ci2-linux-4-14 2019/12/25 04:24 linux-4.14.y e1f7d50ae3a3 be5c2c81 .config log report
ci2-linux-4-14 2019/12/24 22:38 linux-4.14.y e1f7d50ae3a3 be5c2c81 .config log report
ci2-linux-4-14 2019/12/19 22:43 linux-4.14.y bfb9e5c03076 36650b4b .config log report
ci2-linux-4-14 2019/12/19 22:40 linux-4.14.y bfb9e5c03076 36650b4b .config log report
* Struck through repros no longer work on HEAD.