Kernel | Title | Repro | Cause bisect | Fix bisect | Count | Last | Reported | Patched | Status |
---|---|---|---|---|---|---|---|---|---|
upstream | KASAN: use-after-free Read in rxrpc_put_peer afs net | C | error | 38 | 1872d | 1924d | 13/28 | fixed on 2019/11/04 14:50 |
syzbot |
sign-in | mailing list | source | docs |
Kernel | Title | Repro | Cause bisect | Fix bisect | Count | Last | Reported | Patched | Status |
---|---|---|---|---|---|---|---|---|---|
upstream | KASAN: use-after-free Read in rxrpc_put_peer afs net | C | error | 38 | 1872d | 1924d | 13/28 | fixed on 2019/11/04 14:50 |
================================================================== BUG: KASAN: use-after-free in __rxrpc_put_peer net/rxrpc/peer_object.c:415 [inline] BUG: KASAN: use-after-free in rxrpc_put_peer+0x64f/0x660 net/rxrpc/peer_object.c:439 Read of size 8 at addr ffff8880888a36d8 by task ksoftirqd/0/9 CPU: 0 PID: 9 Comm: ksoftirqd/0 Not tainted 4.19.80 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x172/0x1f0 lib/dump_stack.c:113 print_address_description.cold+0x7c/0x20d mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report mm/kasan/report.c:412 [inline] kasan_report.cold+0x8c/0x2ba mm/kasan/report.c:396 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433 __rxrpc_put_peer net/rxrpc/peer_object.c:415 [inline] rxrpc_put_peer+0x64f/0x660 net/rxrpc/peer_object.c:439 rxrpc_rcu_destroy_call+0x5e/0x140 net/rxrpc/call_object.c:657 __rcu_reclaim kernel/rcu/rcu.h:236 [inline] rcu_do_batch kernel/rcu/tree.c:2584 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:2897 [inline] __rcu_process_callbacks kernel/rcu/tree.c:2864 [inline] rcu_process_callbacks+0xba0/0x1a30 kernel/rcu/tree.c:2881 __do_softirq+0x25c/0x921 kernel/softirq.c:292 run_ksoftirqd kernel/softirq.c:653 [inline] run_ksoftirqd+0x8e/0x110 kernel/softirq.c:645 smpboot_thread_fn+0x6a3/0xa30 kernel/smpboot.c:164 kthread+0x354/0x420 kernel/kthread.c:246 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415 Allocated by task 9272: save_stack+0x45/0xd0 mm/kasan/kasan.c:448 set_track mm/kasan/kasan.c:460 [inline] kasan_kmalloc mm/kasan/kasan.c:553 [inline] kasan_kmalloc+0xce/0xf0 mm/kasan/kasan.c:531 kmem_cache_alloc_trace+0x152/0x760 mm/slab.c:3625 kmalloc include/linux/slab.h:515 [inline] kzalloc include/linux/slab.h:709 [inline] rxrpc_alloc_local net/rxrpc/local_object.c:83 [inline] rxrpc_lookup_local+0x562/0x1b70 net/rxrpc/local_object.c:281 rxrpc_sendmsg+0x36f/0x5b0 net/rxrpc/af_rxrpc.c:573 sock_sendmsg_nosec net/socket.c:622 [inline] sock_sendmsg+0xd7/0x130 net/socket.c:632 ___sys_sendmsg+0x3e2/0x920 net/socket.c:2115 __sys_sendmmsg+0x1bf/0x4e0 net/socket.c:2210 __do_sys_sendmmsg net/socket.c:2239 [inline] __se_sys_sendmmsg net/socket.c:2236 [inline] __x64_sys_sendmmsg+0x9d/0x100 net/socket.c:2236 do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 7552: save_stack+0x45/0xd0 mm/kasan/kasan.c:448 set_track mm/kasan/kasan.c:460 [inline] __kasan_slab_free+0x102/0x150 mm/kasan/kasan.c:521 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528 __cache_free mm/slab.c:3503 [inline] kfree+0xcf/0x220 mm/slab.c:3822 rxrpc_local_rcu+0x53/0x60 net/rxrpc/local_object.c:500 __rcu_reclaim kernel/rcu/rcu.h:236 [inline] rcu_do_batch kernel/rcu/tree.c:2584 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:2897 [inline] __rcu_process_callbacks kernel/rcu/tree.c:2864 [inline] rcu_process_callbacks+0xba0/0x1a30 kernel/rcu/tree.c:2881 __do_softirq+0x25c/0x921 kernel/softirq.c:292 The buggy address belongs to the object at ffff8880888a36c0 which belongs to the cache kmalloc-1024 of size 1024 The buggy address is located 24 bytes inside of 1024-byte region [ffff8880888a36c0, ffff8880888a3ac0) The buggy address belongs to the page: page:ffffea0002222880 count:1 mapcount:0 mapping:ffff88812c3f0ac0 index:0xffff8880888a3b40 compound_mapcount: 0 flags: 0x1fffc0000008100(slab|head) raw: 01fffc0000008100 ffffea0002a13788 ffffea0002a59c08 ffff88812c3f0ac0 raw: ffff8880888a3b40 ffff8880888a2040 0000000100000003 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8880888a3580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880888a3600: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc >ffff8880888a3680: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb ^ ffff8880888a3700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880888a3780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================
Time | Kernel | Commit | Syzkaller | Config | Log | Report | Syz repro | C repro | VM info | Assets (help?) | Manager | Title |
---|---|---|---|---|---|---|---|---|---|---|---|---|
2019/10/27 07:45 | linux-4.19.y | c3038e718a19 | 25bb509e | .config | console log | report | ci2-linux-4-19 | |||||
2019/09/11 10:02 | linux-4.19.y | ee809c7e0895 | a60cb4cd | .config | console log | report | ci2-linux-4-19 |