From: syzbot <syzbot+500c69d1e21d970e461b@syzkaller.appspotmail.com>
To: davem@davemloft.net, linux-hams@vger.kernel.org,
linux-kernel@vger.kernel.org, netdev@vger.kernel.org,
ralf@linux-mips.org, syzkaller-bugs@googlegroups.com
Subject: Re: KASAN: use-after-free Read in lock_sock_nested
Date: Thu, 14 Feb 2019 21:25:03 -0800 [thread overview]
Message-ID: <0000000000004527440581e7ff1a@google.com> (raw)
In-Reply-To: <0000000000007a5aad057e7748c9@google.com>
syzbot has found a reproducer for the following crash on:
HEAD commit: b3418f8bddf4 Add linux-next specific files for 20190214
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=14f63047400000
kernel config: https://syzkaller.appspot.com/x/.config?x=8a3a37525a677c71
dashboard link: https://syzkaller.appspot.com/bug?extid=500c69d1e21d970e461b
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14b08da7400000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+500c69d1e21d970e461b@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in __lock_acquire+0x3150/0x4710
kernel/locking/lockdep.c:3200
Read of size 8 at addr ffff8880195faa60 by task syz-executor.4/7495
CPU: 1 PID: 7495 Comm: syz-executor.4 Not tainted 5.0.0-rc6-next-20190214
#35
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x172/0x1f0 lib/dump_stack.c:113
print_address_description.cold+0x7c/0x20d mm/kasan/report.c:187
kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317
__asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:132
__lock_acquire+0x3150/0x4710 kernel/locking/lockdep.c:3200
lock_acquire+0x16f/0x3f0 kernel/locking/lockdep.c:3833
__raw_spin_lock_bh include/linux/spinlock_api_smp.h:135 [inline]
_raw_spin_lock_bh+0x33/0x50 kernel/locking/spinlock.c:168
spin_lock_bh include/linux/spinlock.h:334 [inline]
lock_sock_nested+0x41/0x120 net/core/sock.c:2878
lock_sock include/net/sock.h:1507 [inline]
nr_accept+0x200/0x790 net/netrom/af_netrom.c:808
__sys_accept4+0x350/0x6a0 net/socket.c:1610
__do_sys_accept net/socket.c:1651 [inline]
__se_sys_accept net/socket.c:1648 [inline]
__x64_sys_accept+0x75/0xb0 net/socket.c:1648
do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x457e29
Code: ad b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
ff 0f 83 7b b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f16cb51ec78 EFLAGS: 00000246 ORIG_RAX: 000000000000002b
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000457e29
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004
RBP: 000000000073bfa0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f16cb51f6d4
R13: 00000000004bdbf0 R14: 00000000004cde80 R15: 00000000ffffffff
Allocated by task 7492:
save_stack+0x45/0xd0 mm/kasan/common.c:75
set_track mm/kasan/common.c:87 [inline]
__kasan_kmalloc mm/kasan/common.c:497 [inline]
__kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:470
kasan_kmalloc+0x9/0x10 mm/kasan/common.c:511
__do_kmalloc mm/slab.c:3721 [inline]
__kmalloc+0x15c/0x740 mm/slab.c:3730
kmalloc include/linux/slab.h:553 [inline]
sk_prot_alloc+0x19c/0x2e0 net/core/sock.c:1573
sk_alloc+0x39/0xf70 net/core/sock.c:1627
nr_create+0xb9/0x5e0 net/netrom/af_netrom.c:436
__sock_create+0x3e6/0x750 net/socket.c:1297
sock_create net/socket.c:1337 [inline]
__sys_socket+0x103/0x220 net/socket.c:1367
__do_sys_socket net/socket.c:1376 [inline]
__se_sys_socket net/socket.c:1374 [inline]
__x64_sys_socket+0x73/0xb0 net/socket.c:1374
do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 7491:
save_stack+0x45/0xd0 mm/kasan/common.c:75
set_track mm/kasan/common.c:87 [inline]
__kasan_slab_free+0x102/0x150 mm/kasan/common.c:459
kasan_slab_free+0xe/0x10 mm/kasan/common.c:467
__cache_free mm/slab.c:3491 [inline]
kfree+0xcf/0x230 mm/slab.c:3816
sk_prot_free net/core/sock.c:1610 [inline]
__sk_destruct+0x4f1/0x6d0 net/core/sock.c:1692
sk_destruct+0x7b/0x90 net/core/sock.c:1700
__sk_free+0xce/0x300 net/core/sock.c:1711
sk_free+0x42/0x50 net/core/sock.c:1722
sock_put include/net/sock.h:1708 [inline]
nr_release+0x337/0x3c0 net/netrom/af_netrom.c:557
__sock_release+0xd3/0x250 net/socket.c:579
sock_close+0x1b/0x30 net/socket.c:1161
__fput+0x2e5/0x8d0 fs/file_table.c:278
____fput+0x16/0x20 fs/file_table.c:309
task_work_run+0x14a/0x1c0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:188 [inline]
exit_to_usermode_loop+0x273/0x2c0 arch/x86/entry/common.c:166
prepare_exit_to_usermode arch/x86/entry/common.c:197 [inline]
syscall_return_slowpath arch/x86/entry/common.c:268 [inline]
do_syscall_64+0x52d/0x610 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
The buggy address belongs to the object at ffff8880195fa9c0
which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 160 bytes inside of
2048-byte region [ffff8880195fa9c0, ffff8880195fb1c0)
The buggy address belongs to the page:
page:ffffea0000657e80 count:1 mapcount:0 mapping:ffff88812c3f0c40 index:0x0
compound_mapcount: 0
flags: 0x1fffc0000010200(slab|head)
raw: 01fffc0000010200 ffffea00026f8a88 ffffea000220c888 ffff88812c3f0c40
raw: 0000000000000000 ffff8880195fa140 0000000100000003 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8880195fa900: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
ffff8880195fa980: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
> ffff8880195faa00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8880195faa80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880195fab00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
next prev parent reply other threads:[~2019-02-15 5:25 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-01-02 10:41 KASAN: use-after-free Read in lock_sock_nested syzbot
2019-02-15 5:25 ` syzbot [this message]
2019-07-27 9:45 ` syzbot
2020-01-11 10:00 ` syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=0000000000004527440581e7ff1a@google.com \
--to=syzbot+500c69d1e21d970e461b@syzkaller.appspotmail.com \
--cc=davem@davemloft.net \
--cc=linux-hams@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=ralf@linux-mips.org \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.