syzbot


KASAN: use-after-free Read in addr_handler

Status: fixed on 2020/05/10 10:42
Reported-by: syzbot+b358909d8d01556b790b@syzkaller.appspotmail.com
Fix commit: 7c11910783a1 RDMA/ucma: Put a lock around every call to the rdma_cm layer
First crash: 1446d, last: 964d

Cause bisection: introduced by (bisect log) :
commit 4f4c867c91e644fc9d461c8c5cf2f09d6d5bcac2
Author: Miquel Raynal <miquel.raynal@bootlin.com>
Date: Tue Oct 2 08:54:16 2018 +0000

  irqchip/irq-mvebu-icu: Support ICU subnodes

Crash: WARNING: ODEBUG bug in netdev_freemem (log)
Repro: syz .config
similar bugs (4):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: use-after-free Read in addr_handler (5) 1 427d 423d 0/24 closed as dup on 2021/10/01 13:34
upstream KASAN: use-after-free Read in addr_handler (4) 1 443d 439d 24/24 closed as dup on 2021/09/15 19:36
upstream KASAN: use-after-free Read in addr_handler (2) 2 858d 901d 17/24 fixed on 2020/09/16 22:51
upstream KASAN: use-after-free Read in addr_handler (3) 1 584d 580d 0/24 auto-closed as invalid on 2021/07/22 15:33

Sample crash report:
IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
8021q: adding VLAN 0 to HW filter on device batadv0
==================================================================
BUG: KASAN: use-after-free in __lock_acquire+0x30e0/0x4700 kernel/locking/lockdep.c:3215
Read of size 8 at addr ffff88808c00e850 by task kworker/u4:0/7

CPU: 0 PID: 7 Comm: kworker/u4:0 Not tainted 5.0.0-rc7 #78
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: ib_addr process_one_req
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x172/0x1f0 lib/dump_stack.c:113
 print_address_description.cold+0x7c/0x20d mm/kasan/report.c:187
 kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317
 __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:135
 __lock_acquire+0x30e0/0x4700 kernel/locking/lockdep.c:3215
 lock_acquire+0x16f/0x3f0 kernel/locking/lockdep.c:3841
 __mutex_lock_common kernel/locking/mutex.c:925 [inline]
 __mutex_lock+0xf7/0x1310 kernel/locking/mutex.c:1072
 mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:1087
 addr_handler+0xa5/0x300 drivers/infiniband/core/cma.c:2970
 process_one_req+0x109/0x680 drivers/infiniband/core/addr.c:643
 process_one_work+0x98e/0x1790 kernel/workqueue.c:2173
 worker_thread+0x98/0xe40 kernel/workqueue.c:2319
 kthread+0x357/0x430 kernel/kthread.c:246
 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352

Allocated by task 21113:
 save_stack+0x45/0xd0 mm/kasan/common.c:73
 set_track mm/kasan/common.c:85 [inline]
 __kasan_kmalloc mm/kasan/common.c:496 [inline]
 __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:469
 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:504
 kmem_cache_alloc_trace+0x151/0x760 mm/slab.c:3609
 kmalloc include/linux/slab.h:545 [inline]
 kzalloc include/linux/slab.h:740 [inline]
 __rdma_create_id+0x5f/0x4e0 drivers/infiniband/core/cma.c:879
 ucma_create_id+0x1de/0x640 drivers/infiniband/core/ucma.c:506
 ucma_write+0x2da/0x3c0 drivers/infiniband/core/ucma.c:1689
 __vfs_write+0x116/0x8e0 fs/read_write.c:485
 vfs_write+0x20c/0x580 fs/read_write.c:549
 ksys_write+0xea/0x1f0 fs/read_write.c:598
 __do_sys_write fs/read_write.c:610 [inline]
 __se_sys_write fs/read_write.c:607 [inline]
 __x64_sys_write+0x73/0xb0 fs/read_write.c:607
 do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 21126:
 save_stack+0x45/0xd0 mm/kasan/common.c:73
 set_track mm/kasan/common.c:85 [inline]
 __kasan_slab_free+0x102/0x150 mm/kasan/common.c:458
 kasan_slab_free+0xe/0x10 mm/kasan/common.c:466
 __cache_free mm/slab.c:3487 [inline]
 kfree+0xcf/0x230 mm/slab.c:3806
 rdma_destroy_id+0x723/0xab0 drivers/infiniband/core/cma.c:1849
 ucma_close+0x115/0x320 drivers/infiniband/core/ucma.c:1770
 __fput+0x2df/0x8d0 fs/file_table.c:278
 ____fput+0x16/0x20 fs/file_table.c:309
 task_work_run+0x14a/0x1c0 kernel/task_work.c:113
 get_signal+0x1961/0x1d50 kernel/signal.c:2388
 do_signal+0x87/0x1940 arch/x86/kernel/signal.c:816
 exit_to_usermode_loop+0x244/0x2c0 arch/x86/entry/common.c:162
 prepare_exit_to_usermode arch/x86/entry/common.c:197 [inline]
 syscall_return_slowpath arch/x86/entry/common.c:268 [inline]
 do_syscall_64+0x52d/0x610 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at ffff88808c00e4c0
 which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 912 bytes inside of
 2048-byte region [ffff88808c00e4c0, ffff88808c00ecc0)
The buggy address belongs to the page:
page:ffffea0002300380 count:1 mapcount:0 mapping:ffff88812c3f0c40 index:0xffff88808c00ed40 compound_mapcount: 0
flags: 0x1fffc0000010200(slab|head)
raw: 01fffc0000010200 ffffea00022f6b08 ffffea0002a03388 ffff88812c3f0c40
raw: ffff88808c00ed40 ffff88808c00e4c0 0000000100000002 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88808c00e700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88808c00e780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88808c00e800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                 ^
 ffff88808c00e880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88808c00e900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Fix bisection attempts:
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-upstream-kasan-gce-root 2020/01/28 02:33 upstream b0be0eff1a5a 59f36113 .config log report syz
ci-upstream-kasan-gce-root 2019/12/18 22:46 upstream 80a0c2e511a9 59f36113 .config log report syz
ci-upstream-kasan-gce 2019/11/09 21:09 upstream 00aff6836241 59f36113 .config log report syz
ci-upstream-kasan-gce 2019/08/23 22:52 upstream a3b22b9f11d9 59f36113 .config log report syz
* Struck through repros no longer work on HEAD.
Crashes (12):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-upstream-kasan-gce-root 2019/02/19 05:11 upstream a3b22b9f11d9 59f36113 .config log report syz
ci-upstream-kasan-gce 2019/02/19 04:08 upstream a3b22b9f11d9 59f36113 .config log report syz
ci-upstream-kasan-gce-386 2019/02/19 14:17 upstream b5372fe5dc84 59f36113 .config log report syz
ci-upstream-linux-next-kasan-gce-root 2019/02/19 12:36 linux-next 43dc36c945ef 59f36113 .config log report syz
ci-upstream-kasan-gce 2020/04/08 12:23 upstream f5e94d10e4c4 db9bcd4b .config log report
ci-upstream-kasan-gce-selinux-root 2019/12/19 05:00 upstream 2187f215ebaa 79b211f7 .config log report
ci-upstream-kasan-gce-selinux-root 2019/08/28 20:45 upstream 6525771f58cb fd37b39e .config log report
ci-upstream-kasan-gce 2019/02/19 03:22 upstream a3b22b9f11d9 59f36113 .config log report
ci-upstream-kasan-gce-smack-root 2019/01/02 19:09 upstream 8e143b90e4d4 f0491811 .config log report
ci-upstream-kasan-gce-386 2019/01/23 19:15 upstream 333478a7eb21 7cf3249c .config log report
ci-upstream-kasan-gce-386 2018/12/13 10:54 upstream f5d582777bcb f3d9d594 .config log report
ci-upstream-linux-next-kasan-gce-root 2019/07/24 22:23 linux-next 9e6dfe8045f8 32329ceb .config log report
* Struck through repros no longer work on HEAD.