syzbot


KASAN: use-after-free Read in rxrpc_put_peer

Status: auto-closed as invalid on 2020/02/24 07:46
Reported-by: syzbot+07381ccfc86db0750d8a@syzkaller.appspotmail.com
First crash: 1910d, last: 1865d
Similar bugs (1)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: use-after-free Read in rxrpc_put_peer afs net C error 38 1872d 1924d 13/28 fixed on 2019/11/04 14:50

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in __rxrpc_put_peer net/rxrpc/peer_object.c:415 [inline]
BUG: KASAN: use-after-free in rxrpc_put_peer+0x64f/0x660 net/rxrpc/peer_object.c:439
Read of size 8 at addr ffff8880888a36d8 by task ksoftirqd/0/9

CPU: 0 PID: 9 Comm: ksoftirqd/0 Not tainted 4.19.80 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x172/0x1f0 lib/dump_stack.c:113
 print_address_description.cold+0x7c/0x20d mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report mm/kasan/report.c:412 [inline]
 kasan_report.cold+0x8c/0x2ba mm/kasan/report.c:396
 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
 __rxrpc_put_peer net/rxrpc/peer_object.c:415 [inline]
 rxrpc_put_peer+0x64f/0x660 net/rxrpc/peer_object.c:439
 rxrpc_rcu_destroy_call+0x5e/0x140 net/rxrpc/call_object.c:657
 __rcu_reclaim kernel/rcu/rcu.h:236 [inline]
 rcu_do_batch kernel/rcu/tree.c:2584 [inline]
 invoke_rcu_callbacks kernel/rcu/tree.c:2897 [inline]
 __rcu_process_callbacks kernel/rcu/tree.c:2864 [inline]
 rcu_process_callbacks+0xba0/0x1a30 kernel/rcu/tree.c:2881
 __do_softirq+0x25c/0x921 kernel/softirq.c:292
 run_ksoftirqd kernel/softirq.c:653 [inline]
 run_ksoftirqd+0x8e/0x110 kernel/softirq.c:645
 smpboot_thread_fn+0x6a3/0xa30 kernel/smpboot.c:164
 kthread+0x354/0x420 kernel/kthread.c:246
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415

Allocated by task 9272:
 save_stack+0x45/0xd0 mm/kasan/kasan.c:448
 set_track mm/kasan/kasan.c:460 [inline]
 kasan_kmalloc mm/kasan/kasan.c:553 [inline]
 kasan_kmalloc+0xce/0xf0 mm/kasan/kasan.c:531
 kmem_cache_alloc_trace+0x152/0x760 mm/slab.c:3625
 kmalloc include/linux/slab.h:515 [inline]
 kzalloc include/linux/slab.h:709 [inline]
 rxrpc_alloc_local net/rxrpc/local_object.c:83 [inline]
 rxrpc_lookup_local+0x562/0x1b70 net/rxrpc/local_object.c:281
 rxrpc_sendmsg+0x36f/0x5b0 net/rxrpc/af_rxrpc.c:573
 sock_sendmsg_nosec net/socket.c:622 [inline]
 sock_sendmsg+0xd7/0x130 net/socket.c:632
 ___sys_sendmsg+0x3e2/0x920 net/socket.c:2115
 __sys_sendmmsg+0x1bf/0x4e0 net/socket.c:2210
 __do_sys_sendmmsg net/socket.c:2239 [inline]
 __se_sys_sendmmsg net/socket.c:2236 [inline]
 __x64_sys_sendmmsg+0x9d/0x100 net/socket.c:2236
 do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 7552:
 save_stack+0x45/0xd0 mm/kasan/kasan.c:448
 set_track mm/kasan/kasan.c:460 [inline]
 __kasan_slab_free+0x102/0x150 mm/kasan/kasan.c:521
 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
 __cache_free mm/slab.c:3503 [inline]
 kfree+0xcf/0x220 mm/slab.c:3822
 rxrpc_local_rcu+0x53/0x60 net/rxrpc/local_object.c:500
 __rcu_reclaim kernel/rcu/rcu.h:236 [inline]
 rcu_do_batch kernel/rcu/tree.c:2584 [inline]
 invoke_rcu_callbacks kernel/rcu/tree.c:2897 [inline]
 __rcu_process_callbacks kernel/rcu/tree.c:2864 [inline]
 rcu_process_callbacks+0xba0/0x1a30 kernel/rcu/tree.c:2881
 __do_softirq+0x25c/0x921 kernel/softirq.c:292

The buggy address belongs to the object at ffff8880888a36c0
 which belongs to the cache kmalloc-1024 of size 1024
The buggy address is located 24 bytes inside of
 1024-byte region [ffff8880888a36c0, ffff8880888a3ac0)
The buggy address belongs to the page:
page:ffffea0002222880 count:1 mapcount:0 mapping:ffff88812c3f0ac0 index:0xffff8880888a3b40 compound_mapcount: 0
flags: 0x1fffc0000008100(slab|head)
raw: 01fffc0000008100 ffffea0002a13788 ffffea0002a59c08 ffff88812c3f0ac0
raw: ffff8880888a3b40 ffff8880888a2040 0000000100000003 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8880888a3580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8880888a3600: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
>ffff8880888a3680: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
                                                    ^
 ffff8880888a3700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8880888a3780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (2):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2019/10/27 07:45 linux-4.19.y c3038e718a19 25bb509e .config console log report ci2-linux-4-19
2019/09/11 10:02 linux-4.19.y ee809c7e0895 a60cb4cd .config console log report ci2-linux-4-19
* Struck through repros no longer work on HEAD.