syzbot


KASAN: slab-out-of-bounds Read in tipc_named_reinit

Status: auto-closed as invalid on 2020/06/05 09:16
Reported-by: syzbot+bda7c3abd13f6d76f1f1@syzkaller.appspotmail.com
First crash: 1709d, last: 1709d

Sample crash report:
tipc: 32-bit node address hash set to fbff1eac
==================================================================
BUG: KASAN: slab-out-of-bounds in tipc_named_reinit+0x1aa/0x360 net/tipc/name_distr.c:344
Read of size 8 at addr ffff8881c505e000 by task kworker/0:9/16995

CPU: 0 PID: 16995 Comm: kworker/0:9 Not tainted 5.4.17-syzkaller-00005-g2303d908db80 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events tipc_net_finalize_work
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1b0/0x228 lib/dump_stack.c:118
 print_address_description+0x96/0x5d0 mm/kasan/report.c:374
 __kasan_report+0x14b/0x1c0 mm/kasan/report.c:506
 kasan_report+0x26/0x50 mm/kasan/common.c:634
 __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:132
 tipc_named_reinit+0x1aa/0x360 net/tipc/name_distr.c:344
 tipc_net_finalize+0xcb/0x130 net/tipc/net.c:138
 tipc_net_finalize_work+0x54/0x80 net/tipc/net.c:150
 process_one_work+0x9d8/0x1030 kernel/workqueue.c:2270
 worker_thread+0xbbc/0x1610 kernel/workqueue.c:2416
 kthread+0x31a/0x340 kernel/kthread.c:255
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:352

Allocated by task 0:
(stack is not available)

Freed by task 0:
(stack is not available)

The buggy address belongs to the object at ffff8881c505df80
 which belongs to the cache TIPC of size 984
The buggy address is located 128 bytes inside of
 984-byte region [ffff8881c505df80, ffff8881c505e358)
The buggy address belongs to the page:
page:ffffea0007141700 refcount:1 mapcount:0 mapping:ffff8881d70cf400 index:0x0 compound_mapcount: 0
raw: 8000000000010200 dead000000000100 dead000000000122 ffff8881d70cf400
raw: 0000000000000000 00000000800e000e 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8881c505df00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8881c505df80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8881c505e000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                   ^
 ffff8881c505e080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8881c505e100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 16995 Comm: kworker/0:9 Tainted: G    B             5.4.17-syzkaller-00005-g2303d908db80 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events tipc_net_finalize_work
RIP: 0010:__rht_bucket_nested lib/rhashtable.c:1178 [inline]
RIP: 0010:rht_bucket_nested lib/rhashtable.c:1203 [inline]
RIP: 0010:rht_bucket include/linux/rhashtable.h:290 [inline]
RIP: 0010:__rhashtable_walk_find_next+0x4b5/0x9b0 lib/rhashtable.c:794
Code: 00 74 0e 89 cb e8 7b a8 78 ff 89 d9 48 8b 7c 24 78 49 c1 e7 03 4c 03 3f 48 8b 44 24 58 d3 e8 89 44 24 2c 4c 89 f8 48 c1 e8 03 <42> 80 3c 28 00 74 08 4c 89 ff e8 4c a8 78 ff 4d 8b 3f 31 ff 4c 89
RSP: 0018:ffff88819cd779e0 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 00000000ffff8881 RCX: 00000000ffff8881
RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffff8881c73b0040
RBP: ffff88819cd77b40 R08: ffffffff81f8318d R09: 0000000000000003
R10: ffffed10339aef49 R11: 0000000000000004 R12: ffff8881c505e010
R13: dffffc0000000000 R14: 0000000000000000 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff8881dba00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020001840 CR3: 00000001c7890004 CR4: 00000000001606f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 rhashtable_walk_next+0x23b/0x2e0 lib/rhashtable.c:878
 tipc_sk_reinit+0x119/0x4a0 net/tipc/socket.c:2790
 tipc_net_finalize+0xd3/0x130 net/tipc/net.c:139
 tipc_net_finalize_work+0x54/0x80 net/tipc/net.c:150
 process_one_work+0x9d8/0x1030 kernel/workqueue.c:2270
 worker_thread+0xbbc/0x1610 kernel/workqueue.c:2416
 kthread+0x31a/0x340 kernel/kthread.c:255
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:352
Modules linked in:
---[ end trace 7e2eda9cb19c9b43 ]---
RIP: 0010:__rht_bucket_nested lib/rhashtable.c:1178 [inline]
RIP: 0010:rht_bucket_nested lib/rhashtable.c:1203 [inline]
RIP: 0010:rht_bucket include/linux/rhashtable.h:290 [inline]
RIP: 0010:__rhashtable_walk_find_next+0x4b5/0x9b0 lib/rhashtable.c:794
Code: 00 74 0e 89 cb e8 7b a8 78 ff 89 d9 48 8b 7c 24 78 49 c1 e7 03 4c 03 3f 48 8b 44 24 58 d3 e8 89 44 24 2c 4c 89 f8 48 c1 e8 03 <42> 80 3c 28 00 74 08 4c 89 ff e8 4c a8 78 ff 4d 8b 3f 31 ff 4c 89
RSP: 0018:ffff88819cd779e0 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 00000000ffff8881 RCX: 00000000ffff8881
RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffff8881c73b0040
RBP: ffff88819cd77b40 R08: ffffffff81f8318d R09: 0000000000000003
R10: ffffed10339aef49 R11: 0000000000000004 R12: ffff8881c505e010
R13: dffffc0000000000 R14: 0000000000000000 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff8881dba00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020001840 CR3: 00000001c7890004 CR4: 00000000001606f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2020/02/06 09:15 https://android.googlesource.com/kernel/common android-5.4 2303d908db80 662cf49a .config console log report ci2-android-5-4-kasan
* Struck through repros no longer work on HEAD.