syzbot


KASAN: use-after-free Read in sock_def_write_space

Status: fixed on 2020/07/20 08:03
Subsystems: arm-msm net
[Documentation on labels]
Fix commit: a9b111016235 llc: make sure applications use ARPHRD_ETHER
First crash: 1969d, last: 1604d
Cause bisection: introduced by (bisect log) :
commit 31c03aef9bc22a64a8324d650ca4198819ef3a33
Author: Willem de Bruijn <willemb@google.com>
Date: Thu Jun 13 16:24:57 2019 +0000

  virtio_net: enable napi_tx by default

Crash: KASAN: use-after-free Read in sock_def_write_space (log)
Repro: syz .config
  
Similar bugs (5)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: use-after-free Read in sock_def_write_space (3) intel-wired-lan 21 1300d 1536d 0/28 auto-closed as invalid on 2021/08/18 10:16
linux-5.15 KASAN: use-after-free Read in sock_def_write_space (2) 1 370d 370d 0/3 auto-obsoleted due to no activity on 2024/03/15 00:45
upstream KASAN: use-after-free Read in sock_def_write_space (4) net virt 7 948d 1116d 0/28 auto-closed as invalid on 2022/08/04 16:53
upstream KASAN: use-after-free Read in sock_def_write_space (2) arm-msm net C error 29 1546d 1603d 15/28 fixed on 2020/09/16 22:51
linux-5.15 KASAN: use-after-free Read in sock_def_write_space 1 503d 503d 0/3 auto-obsoleted due to no activity on 2023/11/03 11:19
Fix bisection attempts (3)
Created Duration User Patch Repo Result
2019/11/11 23:57 31m bisect fix upstream OK (0) job log log
2019/10/03 05:41 32m bisect fix upstream OK (0) job log log
2019/09/03 05:07 33m bisect fix upstream OK (0) job log log

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in list_empty include/linux/list.h:282 [inline]
BUG: KASAN: use-after-free in waitqueue_active include/linux/wait.h:127 [inline]
BUG: KASAN: use-after-free in wq_has_sleeper include/linux/wait.h:161 [inline]
BUG: KASAN: use-after-free in skwq_has_sleeper include/net/sock.h:2143 [inline]
BUG: KASAN: use-after-free in sock_def_write_space+0x609/0x630 net/core/sock.c:2926
Read of size 8 at addr ffff888082ebf5c0 by task syz-executor433/9398

CPU: 1 PID: 9398 Comm: syz-executor433 Not tainted 5.8.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x18f/0x20d lib/dump_stack.c:118
 print_address_description.constprop.0.cold+0xae/0x436 mm/kasan/report.c:383
 __kasan_report mm/kasan/report.c:513 [inline]
 kasan_report.cold+0x1f/0x37 mm/kasan/report.c:530
 list_empty include/linux/list.h:282 [inline]
 waitqueue_active include/linux/wait.h:127 [inline]
 wq_has_sleeper include/linux/wait.h:161 [inline]
 skwq_has_sleeper include/net/sock.h:2143 [inline]
 sock_def_write_space+0x609/0x630 net/core/sock.c:2926
 sock_wfree+0x1cc/0x240 net/core/sock.c:2060
 skb_release_head_state+0x9f/0x250 net/core/skbuff.c:651
 skb_release_all net/core/skbuff.c:662 [inline]
 __kfree_skb net/core/skbuff.c:678 [inline]
 kfree_skb.part.0+0x89/0x350 net/core/skbuff.c:696
 kfree_skb+0x7d/0x100 include/linux/refcount.h:270
 skb_queue_purge+0x14/0x30 net/core/skbuff.c:3077
 qrtr_tun_release+0x40/0x60 net/qrtr/tun.c:118
 __fput+0x33c/0x880 fs/file_table.c:281
 task_work_run+0xdd/0x190 kernel/task_work.c:135
 exit_task_work include/linux/task_work.h:25 [inline]
 do_exit+0xb72/0x2a40 kernel/exit.c:805
 do_group_exit+0x125/0x310 kernel/exit.c:903
 get_signal+0x40b/0x1ee0 kernel/signal.c:2743
 do_signal+0x82/0x2520 arch/x86/kernel/signal.c:810
 exit_to_usermode_loop arch/x86/entry/common.c:235 [inline]
 __prepare_exit_to_usermode+0x156/0x1f0 arch/x86/entry/common.c:269
 do_syscall_64+0x6c/0xe0 arch/x86/entry/common.c:393
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x4469f9
Code: Bad RIP value.
RSP: 002b:00007f220f53ad98 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 00000000006dbc48 RCX: 00000000004469f9
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00000000006dbc48
RBP: 00000000006dbc40 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dbc4c
R13: 0000000000000000 R14: 0000000000000000 R15: 00306974765f7069

Allocated by task 9397:
 save_stack+0x1b/0x40 mm/kasan/common.c:48
 set_track mm/kasan/common.c:56 [inline]
 __kasan_kmalloc.constprop.0+0xc2/0xd0 mm/kasan/common.c:494
 slab_post_alloc_hook mm/slab.h:586 [inline]
 slab_alloc mm/slab.c:3320 [inline]
 kmem_cache_alloc+0x12c/0x3b0 mm/slab.c:3484
 sock_alloc_inode+0x18/0x1c0 net/socket.c:253
 alloc_inode+0x61/0x230 fs/inode.c:232
 new_inode_pseudo+0x14/0xe0 fs/inode.c:928
 sock_alloc+0x3c/0x260 net/socket.c:573
 __sock_create+0xb9/0x740 net/socket.c:1392
 sock_create net/socket.c:1479 [inline]
 __sys_socket+0xef/0x200 net/socket.c:1521
 __do_sys_socket net/socket.c:1530 [inline]
 __se_sys_socket net/socket.c:1528 [inline]
 __x64_sys_socket+0x6f/0xb0 net/socket.c:1528
 do_syscall_64+0x60/0xe0 arch/x86/entry/common.c:384
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

Freed by task 16:
 save_stack+0x1b/0x40 mm/kasan/common.c:48
 set_track mm/kasan/common.c:56 [inline]
 kasan_set_free_info mm/kasan/common.c:316 [inline]
 __kasan_slab_free+0xf5/0x140 mm/kasan/common.c:455
 __cache_free mm/slab.c:3426 [inline]
 kmem_cache_free+0x7f/0x310 mm/slab.c:3694
 i_callback+0x3f/0x70 fs/inode.c:221
 rcu_do_batch kernel/rcu/tree.c:2414 [inline]
 rcu_core+0x5c7/0x1160 kernel/rcu/tree.c:2641
 __do_softirq+0x34c/0xa60 kernel/softirq.c:292

The buggy address belongs to the object at ffff888082ebf540
 which belongs to the cache sock_inode_cache of size 1216
The buggy address is located 128 bytes inside of
 1216-byte region [ffff888082ebf540, ffff888082ebfa00)
The buggy address belongs to the page:
page:ffffea00020bafc0 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888082ebfffd
flags: 0xfffe0000000200(slab)
raw: 00fffe0000000200 ffffea00020bb808 ffffea00020bb088 ffff88821b098000
raw: ffff888082ebfffd ffff888082ebf000 0000000100000003 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff888082ebf480: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
 ffff888082ebf500: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
>ffff888082ebf580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                           ^
 ffff888082ebf600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888082ebf680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (67):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2020/07/17 03:34 upstream f8456690ba8e 54b3c45e .config console log report syz C ci-upstream-kasan-gce-selinux-root
2020/07/16 11:07 upstream 994e99a96c9b f3bec699 .config console log report syz C ci-upstream-kasan-gce
2020/07/16 10:14 upstream 994e99a96c9b f3bec699 .config console log report syz C ci-upstream-kasan-gce-386
2020/06/14 22:19 upstream 435faf5c218a 2a22c77a .config console log report syz C ci-qemu-upstream-386
2019/12/16 02:23 upstream 510c9788991c eef6e580 .config console log report syz C ci-qemu-upstream-386
2019/08/04 05:07 upstream dcb8cfbd8fe9 6affd8e8 .config console log report syz ci-upstream-kasan-gce-selinux-root
2020/07/18 07:37 upstream 8882572675c1 9c812472 .config console log report ci-upstream-kasan-gce
2020/07/18 03:52 upstream 8882572675c1 9c812472 .config console log report ci-upstream-kasan-gce-selinux-root
2020/07/17 00:22 upstream f8456690ba8e 54b3c45e .config console log report ci-upstream-kasan-gce-selinux-root
2020/07/16 23:24 upstream f8456690ba8e 54b3c45e .config console log report ci-upstream-kasan-gce
2020/07/15 03:23 upstream e9919e11e219 609fb517 .config console log report ci-upstream-kasan-gce-root
2020/07/12 02:29 upstream a581387e415b 18d18b59 .config console log report ci-upstream-kasan-gce
2020/07/03 09:51 upstream cd77006e01b3 bed10395 .config console log report ci-upstream-kasan-gce-root
2020/06/30 20:38 upstream 9ebcfadb0610 917afeaa .config console log report ci-upstream-kasan-gce
2020/06/30 02:08 upstream 4e99b32169e8 a2cdad9d .config console log report ci-upstream-kasan-gce-smack-root
2020/06/29 06:07 upstream 4e99b32169e8 a2cdad9d .config console log report ci-upstream-kasan-gce-smack-root
2020/06/28 02:59 upstream 1590a2e1c681 ffec44b5 .config console log report ci-upstream-kasan-gce
2020/06/27 05:11 upstream 1590a2e1c681 ffec44b5 .config console log report ci-upstream-kasan-gce
2020/06/25 11:28 upstream 7ae77150d94d 54566aff .config console log report ci-upstream-kasan-gce-root
2020/06/25 06:39 upstream 7ae77150d94d 54566aff .config console log report ci-upstream-kasan-gce
2020/06/12 20:36 upstream 435faf5c218a d1c1c849 .config console log report ci-qemu-upstream
2020/05/22 15:32 upstream 051143e1602d 9682898d .config console log report ci-upstream-kasan-gce-smack-root
2020/05/18 22:40 upstream 642b151f45dd 684d3606 .config console log report ci-qemu-upstream
2020/05/12 18:36 upstream 152036d1379f a44eb8f7 .config console log report ci-qemu-upstream
2020/05/12 07:26 upstream 152036d1379f 44aa8310 .config console log report ci-qemu-upstream
2020/04/16 05:45 upstream 00086336a8d9 c743fcb3 .config console log report ci-qemu-upstream
2020/04/10 23:05 upstream c0cc271173b2 a8c6a3f8 .config console log report ci-upstream-kasan-gce-root
2020/01/24 05:44 upstream 4703d9119972 2e95ab33 .config console log report ci-qemu-upstream
2019/12/22 11:26 upstream b8e382a185eb 8b967267 .config console log report ci-qemu-upstream
2019/12/21 11:28 upstream f1fd1610cbb6 bc586918 .config console log report ci-qemu-upstream
2019/12/20 18:40 upstream 6398b9fc818e aa56acc6 .config console log report ci-qemu-upstream
2019/12/17 10:57 upstream ea200dec5128 2b31345f .config console log report ci-qemu-upstream
2019/12/14 03:03 upstream e31736d9fae8 eef6e580 .config console log report ci-qemu-upstream
2019/08/04 02:04 upstream dcb8cfbd8fe9 6affd8e8 .config console log report ci-upstream-kasan-gce-selinux-root
2019/08/03 12:18 upstream 755f1fed27f4 6affd8e8 .config console log report ci-upstream-kasan-gce-root
2019/07/31 21:07 upstream 4010b622f1d2 c692b5bd .config console log report ci-upstream-kasan-gce-root
2020/07/13 16:54 upstream 11ba468877bb f90ec899 .config console log report ci-upstream-kasan-gce-386
2020/07/09 04:41 upstream 0bddd227f3dc bc238812 .config console log report ci-upstream-kasan-gce-386
2020/07/07 20:49 upstream 7cc2a8ea1048 51095195 .config console log report ci-upstream-kasan-gce-386
2020/07/04 16:57 upstream 7cc2a8ea1048 51095195 .config console log report ci-upstream-kasan-gce-386
2020/07/03 07:26 upstream cd77006e01b3 bed10395 .config console log report ci-upstream-kasan-gce-386
2020/06/25 00:00 upstream 7ae77150d94d 54566aff .config console log report ci-upstream-kasan-gce-386
2020/03/22 07:33 upstream b74b991fb8b9 78267cec .config console log report ci-qemu-upstream-386
2020/03/19 17:49 upstream cd607737f3b8 2c31c529 .config console log report ci-qemu-upstream-386
2020/02/18 22:24 upstream b1da3acc781c 135c18aa .config console log report ci-qemu-upstream-386
2020/01/28 19:25 upstream c677124e631d c8e81ce4 .config console log report ci-qemu-upstream-386
2019/12/15 11:48 upstream 510c9788991c eef6e580 .config console log report ci-qemu-upstream-386
2019/12/14 02:57 upstream e31736d9fae8 eef6e580 .config console log report ci-qemu-upstream-386
2020/07/15 07:34 net-old d113c0f2e0d2 609fb517 .config console log report ci-upstream-net-this-kasan-gce
2020/05/13 23:11 net-old 99addbe31f55 a885920d .config console log report ci-upstream-net-this-kasan-gce
2020/02/01 07:10 net-old 9f68e3655aae c30117b2 .config console log report ci-upstream-net-this-kasan-gce
2020/01/30 20:35 net-old ccd1f27368e4 5ed23f9a .config console log report ci-upstream-net-this-kasan-gce
2019/12/10 09:40 net-old 991a34593bad 4b83c8fb .config console log report ci-upstream-net-this-kasan-gce
2019/10/12 14:57 net-old 82ad862115c2 426631dd .config console log report ci-upstream-net-this-kasan-gce
2019/07/21 21:54 net-old 1a03bb532934 1656845f .config console log report ci-upstream-net-this-kasan-gce
2020/07/15 06:23 net-next-old 07dd1b7e68e4 609fb517 .config console log report ci-upstream-net-kasan-gce
2020/07/06 12:33 net-next-old e44f65fd666c 51095195 .config console log report ci-upstream-net-kasan-gce
2020/06/02 07:40 net-next-old 9a25c1df24a6 a0331e89 .config console log report ci-upstream-net-kasan-gce
2019/07/20 17:37 net-next-old 31cc088a4f5d 1656845f .config console log report ci-upstream-net-kasan-gce
2020/07/20 00:17 linux-next 4c43049f19a2 9c812472 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/07/19 19:34 linux-next 4c43049f19a2 9c812472 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/07/17 18:25 linux-next 4c43049f19a2 9c812472 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/07/16 08:25 linux-next ca0e494af5ed f3bec699 .config console log report ci-upstream-linux-next-kasan-gce-root
2019/07/22 15:51 linux-next 6d21a41b7b1f b3c615f5 .config console log report ci-upstream-linux-next-kasan-gce-root
2019/07/21 19:37 linux-next 6d21a41b7b1f 1656845f .config console log report ci-upstream-linux-next-kasan-gce-root
* Struck through repros no longer work on HEAD.