From: syzbot <syzbot+a9dce1ff45c3bbeceb3a@syzkaller.appspotmail.com>
To: hdanton@sina.com, linux-kernel@vger.kernel.org,
syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] KASAN: use-after-free Read in j1939_xtp_rx_dat_one (3)
Date: Thu, 31 Mar 2022 18:09:09 -0700 [thread overview]
Message-ID: <00000000000005fb8305db8d6d24@google.com> (raw)
In-Reply-To: <20220401005730.4812-1-hdanton@sina.com>
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in j1939_session_deactivate_activate_next
vcan0: j1939_xtp_rx_abort_one: 0xffff888010f92000: 0x00000: (3) A timeout occurred and this is the connection abort to close the session.
vcan0: j1939_xtp_rx_abort_one: 0xffff88807c1b1000: 0x00000: (3) A timeout occurred and this is the connection abort to close the session.
vcan0: j1939_xtp_rx_abort_one: 0xffff88801af96000: 0x00000: (3) A timeout occurred and this is the connection abort to close the session.
------------[ cut here ]------------
WARNING: CPU: 1 PID: 21 at net/can/j1939/transport.c:1088 j1939_session_deactivate net/can/j1939/transport.c:1088 [inline]
WARNING: CPU: 1 PID: 21 at net/can/j1939/transport.c:1088 j1939_session_deactivate_activate_next+0x95/0xd3 net/can/j1939/transport.c:1098
Modules linked in:
CPU: 1 PID: 21 Comm: ksoftirqd/1 Tainted: G W 5.17.0-syzkaller-08652-gae085d7f9365-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:j1939_session_deactivate net/can/j1939/transport.c:1088 [inline]
RIP: 0010:j1939_session_deactivate_activate_next+0x95/0xd3 net/can/j1939/transport.c:1098
Code: 03 38 d0 7c 0c 84 d2 74 08 4c 89 ef e8 75 69 69 f8 8b 5d 28 bf 01 00 00 00 89 de e8 76 c3 1d f8 83 fb 01 77 07 e8 4c c1 1d f8 <0f> 0b e8 45 c1 1d f8 48 89 ef e8 5d 22 dd fe 4c 89 e7 89 c3 e8 c3
RSP: 0018:ffffc900001b79b0 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000100
RDX: ffff888011a59d00 RSI: ffffffff895adaf4 RDI: 0000000000000003
RBP: ffff88801af96000 R08: 0000000000000001 R09: ffff88801af9602b
R10: ffffffff895adaea R11: 000000000000001d R12: ffff88801e58d070
R13: ffff88801af96028 R14: ffff88807ba16418 R15: ffffffff8ae458c0
FS: 0000000000000000(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000056002b304fe8 CR3: 000000001b125000 CR4: 0000000000350ee0
Call Trace:
<TASK>
j1939_xtp_rx_abort_one.cold+0x20b/0x33c net/can/j1939/transport.c:1338
j1939_xtp_rx_abort net/can/j1939/transport.c:1349 [inline]
j1939_tp_cmd_recv net/can/j1939/transport.c:2098 [inline]
j1939_tp_recv+0xb28/0xcb0 net/can/j1939/transport.c:2131
j1939_can_recv+0x6ff/0x9a0 net/can/j1939/main.c:108
deliver net/can/af_can.c:574 [inline]
can_rcv_filter+0x5d4/0x8d0 net/can/af_can.c:608
can_receive+0x31d/0x580 net/can/af_can.c:665
can_rcv+0x120/0x1c0 net/can/af_can.c:696
__netif_receive_skb_one_core+0x114/0x180 net/core/dev.c:5405
__netif_receive_skb+0x24/0x1b0 net/core/dev.c:5519
process_backlog+0x3a0/0x7c0 net/core/dev.c:5847
__napi_poll+0xb3/0x6e0 net/core/dev.c:6413
napi_poll net/core/dev.c:6480 [inline]
net_rx_action+0x8ec/0xc60 net/core/dev.c:6567
__do_softirq+0x29b/0x9c2 kernel/softirq.c:558
run_ksoftirqd kernel/softirq.c:921 [inline]
run_ksoftirqd+0x2d/0x60 kernel/softirq.c:913
smpboot_thread_fn+0x645/0x9c0 kernel/smpboot.c:164
kthread+0x2e9/0x3a0 kernel/kthread.c:376
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298
</TASK>
Tested on:
commit: ae085d7f mm: kfence: fix missing objcg housekeeping fo..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/
console output: https://syzkaller.appspot.com/x/log.txt?x=16ab36fd700000
kernel config: https://syzkaller.appspot.com/x/.config?x=6bae4cd50262530e
dashboard link: https://syzkaller.appspot.com/bug?extid=a9dce1ff45c3bbeceb3a
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=151c6fbb700000
next parent reply other threads:[~2022-04-01 1:09 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20220401005730.4812-1-hdanton@sina.com>
2022-04-01 1:09 ` syzbot [this message]
[not found] <20220401032249.4888-1-hdanton@sina.com>
2022-04-01 3:36 ` [syzbot] KASAN: use-after-free Read in j1939_xtp_rx_dat_one (3) syzbot
2022-03-28 18:25 syzbot
2022-05-28 15:54 ` syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=00000000000005fb8305db8d6d24@google.com \
--to=syzbot+a9dce1ff45c3bbeceb3a@syzkaller.appspotmail.com \
--cc=hdanton@sina.com \
--cc=linux-kernel@vger.kernel.org \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.