From: syzbot <syzbot+ceded3495a1d59f2d244@syzkaller.appspotmail.com>
To: hpa@zytor.com, linux-kernel@vger.kernel.org, luto@kernel.org,
mingo@redhat.com, syzkaller-bugs@googlegroups.com,
tglx@linutronix.de, x86@kernel.org
Subject: KASAN: use-after-free Read in __schedule (2)
Date: Thu, 02 Aug 2018 05:59:01 -0700 [thread overview]
Message-ID: <0000000000000cc0de0572736043@google.com> (raw)
Hello,
syzbot found the following crash on:
HEAD commit: a94c689e6c9e net: dsa: Do not suspend/resume closed slave_..
git tree: net
console output: https://syzkaller.appspot.com/x/log.txt?x=140800e2400000
kernel config: https://syzkaller.appspot.com/x/.config?x=2dc0cd7c2eefb46f
dashboard link: https://syzkaller.appspot.com/bug?extid=ceded3495a1d59f2d244
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=1627bbfc400000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16e0cc8c400000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+ceded3495a1d59f2d244@syzkaller.appspotmail.com
R10: 0000000000000040 R11: 0000000000000212 R12: 0000000000000005
R13: ffffffffffffffff R14: 0000000000000000 R15: 0000000000000000
page:ffffea000714e200 count:0 mapcount:-128 mapping:0000000000000000
index:0x0
==================================================================
flags: 0x2fffc0000000000()
BUG: KASAN: use-after-free in schedule_debug kernel/sched/core.c:3313
[inline]
BUG: KASAN: use-after-free in __schedule+0x1a18/0x1ec0
kernel/sched/core.c:3423
Read of size 8 at addr ffff8801af280000 by task ip/6349
raw: 02fffc0000000000 ffffea0006cfa208 ffff88021fffac18 0000000000000000
CPU: 1 PID: 6349 Comm: ip Not tainted 4.18.0-rc7+ #37
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
raw: 0000000000000000 0000000000000003 00000000ffffff7f 0000000000000000
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1c9/0x2b4 lib/dump_stack.c:113
page dumped because: VM_BUG_ON_PAGE(page_ref_count(page) == 0)
------------[ cut here ]------------
print_address_description+0x6c/0x20b mm/kasan/report.c:256
kernel BUG at include/linux/mm.h:515!
invalid opcode: 0000 [#1] SMP KASAN
CPU: 0 PID: 6338 Comm: syz-executor087 Not tainted 4.18.0-rc7+ #37
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
__asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
RIP: 0010:put_page_testzero include/linux/mm.h:515 [inline]
RIP: 0010:put_page include/linux/mm.h:938 [inline]
RIP: 0010:__skb_frag_unref include/linux/skbuff.h:2759 [inline]
RIP: 0010:skb_release_data+0x6bd/0x880 net/core/skbuff.c:564
schedule_debug kernel/sched/core.c:3313 [inline]
__schedule+0x1a18/0x1ec0 kernel/sched/core.c:3423
Code:
e8
58
09
73
fc
48
schedule+0xfb/0x450 kernel/sched/core.c:3545
8b
bd
10
ff
ff
ff
e8
4c
e6
exit_to_usermode_loop+0x22f/0x370 arch/x86/entry/common.c:152
fe
ff
prepare_exit_to_usermode arch/x86/entry/common.c:197 [inline]
syscall_return_slowpath arch/x86/entry/common.c:268 [inline]
do_syscall_64+0x6be/0x820 arch/x86/entry/common.c:293
e9
16
fb
ff
ff
e8
entry_SYSCALL_64_after_hwframe+0x49/0xbe
42
RIP: 0033:0x7fab7daf0210
09
Code:
73
31
fc
d2
48
48
c7
29
c6
c2
00
64
b9
89
6f
11
87
48
4c
83
89
c8
ef
ff
e8
eb
33
ea
c0
90
a0
90
fc
90
<0f>
90
0b
90
e8
90
2c
90
09
90
73
90
fc
90
4c
90
8d
90
6b
83
ff
3d
e9
e5
b0
d3
fc
2a
ff
00
ff
00
e8
75
1e
10
09
b8
73
2f
fc
00
4c
00
00
RSP: 0018:ffff8801ae95f578 EFLAGS: 00010246
0f
05
RAX: 0000000000000000 RBX: ffffea000714e234 RCX: 0000000000000000
<48>
RDX: 0000000000000000 RSI: ffffffff81a9e055 RDI: ffffed0035d2bea0
3d
RBP: ffff8801ae95f698 R08: ffff8801c6f66978 R09: 0000000000000006
01 f0
R10: ffff8801c6f66140 R11: 0000000000000000 R12: dffffc0000000000
ff
R13: ffffea000714e200 R14: ffff8801cfdc4c20 R15: 0000000000000003
ff 73
FS: 0000000000ae1880(0000) GS:ffff8801db000000(0000) knlGS:0000000000000000
31
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
c3
CR2: 00007f07e03dea8c CR3: 00000001d752e000 CR4: 00000000001406f0
48
Call Trace:
83
ec
08
e8
6e
bb
skb_release_all+0x4a/0x60 net/core/skbuff.c:627
00
__kfree_skb+0x15/0x20 net/core/skbuff.c:641
00
sk_wmem_free_skb include/net/sock.h:1430 [inline]
tcp_write_queue_purge+0x2c1/0x8b0 net/ipv4/tcp.c:2527
48
89
04
24
tcp_disconnect+0x49e/0x1550 net/ipv4/tcp.c:2567
RSP: 002b:00007fff8b328a78 EFLAGS: 00000246
ORIG_RAX: 000000000000002f
RAX: 0000000000001b94 RBX: 00000000006395c0 RCX: 00007fab7daf0210
RDX: 0000000000000000 RSI: 00007fff8b328ac0 RDI: 0000000000000003
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006395c0
tcp_close+0x1026/0x12d0 net/ipv4/tcp.c:2363
R13: 0000000000000000 R14: 00007fff8b32cb98 R15: 00007fff8b32d3a0
The buggy address belongs to the page:
page:ffffea0006bca000 count:0 mapcount:0 mapping:0000000000000000 index:0x0
flags: 0x2fffc0000000000()
tls_sk_proto_close+0x6fc/0xae0 net/tls/tls_main.c:303
raw: 02fffc0000000000 ffffea000743c288 ffff8801db030118 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8801af27ff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8801af27ff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> ffff8801af280000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff8801af280080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff8801af280100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
next reply other threads:[~2018-08-02 12:59 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-08-02 12:59 syzbot [this message]
2019-11-07 13:42 ` KASAN: use-after-free Read in __schedule (2) syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=0000000000000cc0de0572736043@google.com \
--to=syzbot+ceded3495a1d59f2d244@syzkaller.appspotmail.com \
--cc=hpa@zytor.com \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@kernel.org \
--cc=mingo@redhat.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=tglx@linutronix.de \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.