syzbot


KASAN: use-after-free Read in lock_sock_nested

Status: closed as invalid on 2019/03/07 05:41
First crash: 2255d, last: 2062d
Similar bugs (4)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.19 KASAN: use-after-free Read in lock_sock_nested C 471 411d 1724d 0/1 upstream: reported C repro on 2019/07/26 21:27
linux-4.14 KASAN: use-after-free Read in lock_sock_nested C inconclusive 331 451d 1818d 0/1 upstream: reported C repro on 2019/04/24 06:28
upstream KASAN: use-after-free Read in lock_sock_nested hams C inconclusive done 1856 320d 1929d 0/26 auto-obsoleted due to no activity on 2023/08/23 09:06
android-44 KASAN: use-after-free Read in lock_sock_nested C 40 2060d 1831d 0/2 public: reported C repro on 2019/04/11 08:44

Sample crash report:
l2tp_core: tunl 4: fd 7 wrong protocol, got 1, expected 17
l2tp_core: tunl 4: fd 4 wrong protocol, got 1, expected 17
l2tp_core: tunl 4: fd 7 wrong protocol, got 1, expected 17
l2tp_core: tunl 4: fd 4 wrong protocol, got 1, expected 17
==================================================================
BUG: KASAN: use-after-free in __lock_acquire+0x2eff/0x3640 kernel/locking/lockdep.c:3224
Read of size 8 at addr ffff8801d3f99a20 by task syzkaller540979/4836

CPU: 0 PID: 4836 Comm: syzkaller540979 Not tainted 4.9.83-ga92bb8d #51
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801d387f600 ffffffff81d95149 ffffea00074fe600 ffff8801d3f99a20
 0000000000000000 ffff8801d3f99a20 ffff8801d3f99a20 ffff8801d387f638
 ffffffff8153e213 ffff8801d3f99a20 0000000000000008 0000000000000000
Call Trace:
 [<ffffffff81d95149>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d95149>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff8153e213>] print_address_description+0x73/0x280 mm/kasan/report.c:252
 [<ffffffff8153e735>] kasan_report_error mm/kasan/report.c:351 [inline]
 [<ffffffff8153e735>] kasan_report+0x275/0x360 mm/kasan/report.c:408
 [<ffffffff8153e894>] __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:429
 [<ffffffff8123ef2f>] __lock_acquire+0x2eff/0x3640 kernel/locking/lockdep.c:3224
 [<ffffffff812400ae>] lock_acquire+0x12e/0x410 kernel/locking/lockdep.c:3756
 [<ffffffff838b43da>] __raw_spin_lock_bh include/linux/spinlock_api_smp.h:137 [inline]
 [<ffffffff838b43da>] _raw_spin_lock_bh+0x3a/0x50 kernel/locking/spinlock.c:175
 [<ffffffff82ee5013>] spin_lock_bh include/linux/spinlock.h:307 [inline]
 [<ffffffff82ee5013>] lock_sock_nested+0x43/0x120 net/core/sock.c:2503
 [<ffffffff8358f400>] lock_sock include/net/sock.h:1404 [inline]
 [<ffffffff8358f400>] pppol2tp_release+0x50/0x2e0 net/l2tp/l2tp_ppp.c:476
 [<ffffffff82ed589d>] sock_release+0x8d/0x1e0 net/socket.c:599
 [<ffffffff82ed5a06>] sock_close+0x16/0x20 net/socket.c:1046
 [<ffffffff8157580c>] __fput+0x28c/0x6e0 fs/file_table.c:208
 [<ffffffff81575ce5>] ____fput+0x15/0x20 fs/file_table.c:244
 [<ffffffff81195855>] task_work_run+0x115/0x190 kernel/task_work.c:116
 [<ffffffff8113c2c7>] exit_task_work include/linux/task_work.h:21 [inline]
 [<ffffffff8113c2c7>] do_exit+0x7e7/0x2a40 kernel/exit.c:833
 [<ffffffff811429d8>] do_group_exit+0x108/0x320 kernel/exit.c:937
 [<ffffffff81165854>] get_signal+0x4d4/0x14e0 kernel/signal.c:2317
 [<ffffffff81052c87>] do_signal+0x87/0x19f0 arch/x86/kernel/signal.c:807
 [<ffffffff81003a31>] exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:157
 [<ffffffff81007261>] prepare_exit_to_usermode arch/x86/entry/common.c:191 [inline]
 [<ffffffff81007261>] syscall_return_slowpath arch/x86/entry/common.c:260 [inline]
 [<ffffffff81007261>] do_syscall_32_irqs_on arch/x86/entry/common.c:331 [inline]
 [<ffffffff81007261>] do_fast_syscall_32+0x5c1/0x870 arch/x86/entry/common.c:387
 [<ffffffff838b6590>] entry_SYSENTER_compat+0x90/0xa2 arch/x86/entry/entry_64_compat.S:137

Allocated by task 4837:
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:505
 set_track mm/kasan/kasan.c:517 [inline]
 kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:609
 __kmalloc+0x11d/0x310 mm/slub.c:3741
 kmalloc include/linux/slab.h:495 [inline]
 sk_prot_alloc+0x101/0x2a0 net/core/sock.c:1338
 sk_alloc+0x3a/0x3a0 net/core/sock.c:1394
 pppol2tp_create+0x33/0x1f0 net/l2tp/l2tp_ppp.c:534
 pppox_create+0xf1/0x200 drivers/net/ppp/pppox.c:121
 __sock_create+0x3ab/0x640 net/socket.c:1182
 sock_create net/socket.c:1222 [inline]
 SYSC_socket net/socket.c:1252 [inline]
 SyS_socket+0xf0/0x1b0 net/socket.c:1232
 do_syscall_32_irqs_on arch/x86/entry/common.c:325 [inline]
 do_fast_syscall_32+0x2f5/0x870 arch/x86/entry/common.c:387
 entry_SYSENTER_compat+0x90/0xa2 arch/x86/entry/entry_64_compat.S:137

Freed by task 4836:
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:505
 set_track mm/kasan/kasan.c:517 [inline]
 kasan_slab_free+0x72/0xc0 mm/kasan/kasan.c:582
 slab_free_hook mm/slub.c:1355 [inline]
 slab_free_freelist_hook mm/slub.c:1377 [inline]
 slab_free mm/slub.c:2958 [inline]
 kfree+0x103/0x300 mm/slub.c:3878
 sk_prot_free net/core/sock.c:1377 [inline]
 __sk_destruct+0x47f/0x570 net/core/sock.c:1455
 sk_destruct+0x47/0x80 net/core/sock.c:1463
 __sk_free+0x57/0x230 net/core/sock.c:1471
 sk_free+0x23/0x30 net/core/sock.c:1482
 sock_put include/net/sock.h:1588 [inline]
 pppol2tp_session_sock_put+0x5a/0x70 net/l2tp/l2tp_ppp.c:271
 l2tp_tunnel_closeall+0x254/0x3a0 net/l2tp/l2tp_core.c:1371
 l2tp_udp_encap_destroy+0x87/0xe0 net/l2tp/l2tp_core.c:1394
 udpv6_destroy_sock+0xb1/0xd0 net/ipv6/udp.c:1336
 sk_common_release+0x6b/0x2f0 net/core/sock.c:2727
 udp_lib_close+0x15/0x20 include/net/udp.h:203
 inet_release+0xfa/0x1d0 net/ipv4/af_inet.c:434
 inet6_release+0x50/0x70 net/ipv6/af_inet6.c:440
 sock_release+0x8d/0x1e0 net/socket.c:599
 sock_close+0x16/0x20 net/socket.c:1046
 __fput+0x28c/0x6e0 fs/file_table.c:208
 ____fput+0x15/0x20 fs/file_table.c:244
 task_work_run+0x115/0x190 kernel/task_work.c:116
 tracehook_notify_resume include/linux/tracehook.h:191 [inline]
 exit_to_usermode_loop+0xfc/0x120 arch/x86/entry/common.c:161
 prepare_exit_to_usermode arch/x86/entry/common.c:191 [inline]
 syscall_return_slowpath arch/x86/entry/common.c:260 [inline]
 do_syscall_32_irqs_on arch/x86/entry/common.c:331 [inline]
 do_fast_syscall_32+0x5c1/0x870 arch/x86/entry/common.c:387
 entry_SYSENTER_compat+0x90/0xa2 arch/x86/entry/entry_64_compat.S:137

The buggy address belongs to the object at ffff8801d3f99980
 which belongs to the cache kmalloc-2048 of size 2048
The buggy address is located 160 bytes inside of
 2048-byte region [ffff8801d3f99980, ffff8801d3f9a180)
The buggy address belongs to the page:
page:ffffea00074fe600 count:1 mapcount:0 mapping:          (null) index:0x0 compound_mapcount: 0
flags: 0x8000000000004080(slab|head)
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8801d3f99900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8801d3f99980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8801d3f99a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                               ^
 ffff8801d3f99a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8801d3f99b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (39):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2018/02/25 09:26 https://android.googlesource.com/kernel/common android-4.9 a92bb8d6eac3 5c1e0207 .config console log report syz C ci-android-49-kasan-gce-386
2018/08/23 02:36 https://android.googlesource.com/kernel/common android-4.9 8dd3fc2ed765 95b5c82b .config console log report syz ci-android-49-kasan-gce-root
2018/08/22 18:38 https://android.googlesource.com/kernel/common android-4.9 8dd3fc2ed765 95b5c82b .config console log report syz ci-android-49-kasan-gce
2018/08/22 19:10 https://android.googlesource.com/kernel/common android-4.9 8dd3fc2ed765 95b5c82b .config console log report syz ci-android-49-kasan-gce-386
2018/07/05 00:39 https://android.googlesource.com/kernel/common android-4.9 03c70feafdb2 e1b966c6 .config console log report syz ci-android-49-kasan-gce-386
2018/06/02 06:41 https://android.googlesource.com/kernel/common android-4.9 d7e64f8022e4 2f93b54f .config console log report syz ci-android-49-kasan-gce-386
2018/04/27 00:29 https://android.googlesource.com/kernel/common android-4.9 71fce1edd26d 73417389 .config console log report syz ci-android-49-kasan-gce-386
2018/04/06 03:46 https://android.googlesource.com/kernel/common android-4.9 7cd956196346 a932eae6 .config console log report syz ci-android-49-kasan-gce-386
2018/08/04 23:49 https://android.googlesource.com/kernel/common android-4.9 8b21e85d919c 3476a2df .config console log report ci-android-49-kasan-gce
2018/08/02 13:12 https://android.googlesource.com/kernel/common android-4.9 0137ea2134c0 0a7cf4ec .config console log report ci-android-49-kasan-gce
2018/07/30 01:36 https://android.googlesource.com/kernel/common android-4.9 990559158c7b 1a381291 .config console log report ci-android-49-kasan-gce
2018/07/23 14:08 https://android.googlesource.com/kernel/common android-4.9 47bbcd6bf8f9 f69c5fcd .config console log report ci-android-49-kasan-gce
2018/07/23 04:33 https://android.googlesource.com/kernel/common android-4.9 47bbcd6bf8f9 8cc079c3 .config console log report ci-android-49-kasan-gce
2018/07/17 20:35 https://android.googlesource.com/kernel/common android-4.9 f540ce029f50 6d5bd5b5 .config console log report ci-android-49-kasan-gce-root
2018/07/16 00:50 https://android.googlesource.com/kernel/common android-4.9 9e7903954483 92a49505 .config console log report ci-android-49-kasan-gce
2018/06/25 19:02 https://android.googlesource.com/kernel/common android-4.9 7cecc756ceae 2064fc5c .config console log report ci-android-49-kasan-gce
2018/06/24 05:21 https://android.googlesource.com/kernel/common android-4.9 7cecc756ceae 2064fc5c .config console log report ci-android-49-kasan-gce-root
2018/06/13 19:49 https://android.googlesource.com/kernel/common android-4.9 b7d377b4640b 27c5f59f .config console log report ci-android-49-kasan-gce
2018/06/05 06:06 https://android.googlesource.com/kernel/common android-4.9 61aafb6b6e40 a50d873b .config console log report ci-android-49-kasan-gce
2018/05/29 13:51 https://android.googlesource.com/kernel/common android-4.9 0cecdf831513 e276de77 .config console log report ci-android-49-kasan-gce
2018/05/29 02:37 https://android.googlesource.com/kernel/common android-4.9 0cecdf831513 f48c20b8 .config console log report ci-android-49-kasan-gce-root
2018/05/28 18:36 https://android.googlesource.com/kernel/common android-4.9 0cecdf831513 f48c20b8 .config console log report ci-android-49-kasan-gce
2018/05/13 08:02 https://android.googlesource.com/kernel/common android-4.9 c2f9bce9fee8 e726f42b .config console log report ci-android-49-kasan-gce
2018/05/13 05:54 https://android.googlesource.com/kernel/common android-4.9 c2f9bce9fee8 e726f42b .config console log report ci-android-49-kasan-gce
2018/04/11 16:25 https://android.googlesource.com/kernel/common android-4.9 f6bec4e8c771 8b8de427 .config console log report ci-android-49-kasan-gce
2018/04/01 15:37 https://android.googlesource.com/kernel/common android-4.9 9c3fb9cd6e63 0a78e248 .config console log report ci-android-49-kasan-gce
2018/03/26 06:47 https://android.googlesource.com/kernel/common android-4.9 dd1e37e64645 e033c1f1 .config console log report ci-android-49-kasan-gce
2018/03/25 22:27 https://android.googlesource.com/kernel/common android-4.9 dd1e37e64645 e033c1f1 .config console log report ci-android-49-kasan-gce
2018/03/21 16:52 https://android.googlesource.com/kernel/common android-4.9 71df7bbae4d8 f63eeee9 .config console log report ci-android-49-kasan-gce
2018/03/01 21:10 https://android.googlesource.com/kernel/common android-4.9 4c4262aa50dc c4089507 .config console log report ci-android-49-kasan-gce
2018/07/22 11:39 https://android.googlesource.com/kernel/common android-4.9 47bbcd6bf8f9 8cc079c3 .config console log report ci-android-49-kasan-gce-386
2018/07/19 21:50 https://android.googlesource.com/kernel/common android-4.9 47bbcd6bf8f9 49f35839 .config console log report ci-android-49-kasan-gce-386
2018/07/02 03:42 https://android.googlesource.com/kernel/common android-4.9 00a0bcbfcfb6 dba0b50e .config console log report ci-android-49-kasan-gce-386
2018/04/20 13:59 https://android.googlesource.com/kernel/common android-4.9 8683408f8e81 cc402841 .config console log report ci-android-49-kasan-gce-386
2018/03/09 03:49 https://android.googlesource.com/kernel/common android-4.9 00db063b0f88 36d1c454 .config console log report ci-android-49-kasan-gce-386
2018/03/07 02:44 https://android.googlesource.com/kernel/common android-4.9 b324a701539e c8a18476 .config console log report ci-android-49-kasan-gce-386
2018/02/25 17:03 https://android.googlesource.com/kernel/common android-4.9 a92bb8d6eac3 5c1e0207 .config console log report ci-android-49-kasan-gce-386
2018/02/25 08:44 https://android.googlesource.com/kernel/common android-4.9 a92bb8d6eac3 5c1e0207 .config console log report ci-android-49-kasan-gce-386
2018/02/10 17:42 https://android.googlesource.com/kernel/common android-4.9 8a174b4749d3 e67d44e0 .config console log report ci-android-49-kasan-gce-386
* Struck through repros no longer work on HEAD.