Re: [syzbot] [net?] [nfc?] KASAN: slab-use-after-free Read in nfc_alloc_send_skb

All of lore.kernel.org
 help / color / mirror / Atom feed

From: syzbot <syzbot+bbe84a4010eeea00982d@syzkaller.appspotmail.com>
To: code@siddh.me, linux-kernel@vger.kernel.org,
	netdev@vger.kernel.org, syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [net?] [nfc?] KASAN: slab-use-after-free Read in nfc_alloc_send_skb
Date: Sat, 25 Nov 2023 09:33:08 -0800	[thread overview]
Message-ID: <0000000000005abf1f060afd76bd@google.com> (raw)
In-Reply-To: <8aa60891-cd52-42c0-b9a2-594d69b133fd@siddh.me>

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: sleeping function called from invalid context in nfc_llcp_socket_release

BUG: sleeping function called from invalid context at kernel/locking/mutex.c:580
in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 5478, name: syz-executor.0
preempt_count: 2, expected: 0
RCU nest depth: 0, expected: 0
2 locks held by syz-executor.0/5478:
 #0: ffff88806cd22468 (&local->sockets.lock){++++}-{2:2}, at: nfc_llcp_socket_release+0x56/0xb90 net/nfc/llcp_core.c:90
 #1: ffff88806cd5c0b0 (slock-AF_NFC){+.+.}-{2:2}, at: spin_lock include/linux/spinlock.h:351 [inline]
 #1: ffff88806cd5c0b0 (slock-AF_NFC){+.+.}-{2:2}, at: nfc_llcp_socket_release+0xcb/0xb90 net/nfc/llcp_core.c:95
Preemption disabled at:
[<0000000000000000>] 0x0
CPU: 0 PID: 5478 Comm: syz-executor.0 Not tainted 6.7.0-rc2-syzkaller-00198-g7ac1c88a5daa #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106
 __might_resched+0x5cf/0x780 kernel/sched/core.c:10151
 __mutex_lock_common kernel/locking/mutex.c:580 [inline]
 __mutex_lock+0xc1/0xd60 kernel/locking/mutex.c:747
 nfc_llcp_sock_close net/nfc/llcp_core.c:33 [inline]
 nfc_llcp_socket_release+0x498/0xb90 net/nfc/llcp_core.c:120
 local_cleanup+0x28/0xe0 net/nfc/llcp_core.c:161
 nfc_llcp_unregister_device+0x160/0x240 net/nfc/llcp_core.c:1655
 nfc_unregister_device+0x167/0x2a0 net/nfc/core.c:1179
 virtual_ncidev_close+0x59/0x90 drivers/nfc/virtual_ncidev.c:163
 __fput+0x3cc/0xa10 fs/file_table.c:394
 __do_sys_close fs/open.c:1590 [inline]
 __se_sys_close+0x15f/0x220 fs/open.c:1575
 do_syscall_x64 arch/x86/entry/common.c:51 [inline]
 do_syscall_64+0x44/0x110 arch/x86/entry/common.c:82
 entry_SYSCALL_64_after_hwframe+0x63/0x6b
RIP: 0033:0x7fe8ddc7b9da
Code: 48 3d 00 f0 ff ff 77 48 c3 0f 1f 80 00 00 00 00 48 83 ec 18 89 7c 24 0c e8 03 7f 02 00 8b 7c 24 0c 89 c2 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 36 89 d7 89 44 24 0c e8 63 7f 02 00 8b 44 24
RSP: 002b:00007fffdaf3d080 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007fe8ddc7b9da
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
RBP: 00007fe8ddd9d980 R08: 0000001b2e060000 R09: 00007fffdaf810b0
R10: 00007fffdaf81080 R11: 0000000000000293 R12: 00000000000151df
R13: ffffffffffffffff R14: 00007fe8dd800000 R15: 0000000000014e9e
 </TASK>

=============================
[ BUG: Invalid wait context ]
6.7.0-rc2-syzkaller-00198-g7ac1c88a5daa #0 Tainted: G        W         
-----------------------------
syz-executor.0/5478 is trying to lock:
ffff88806cd5c590 (&llcp_sock->lock){+.+.}-{3:3}, at: nfc_llcp_sock_close net/nfc/llcp_core.c:33 [inline]
ffff88806cd5c590 (&llcp_sock->lock){+.+.}-{3:3}, at: nfc_llcp_socket_release+0x498/0xb90 net/nfc/llcp_core.c:120
other info that might help us debug this:
context-{4:4}
2 locks held by syz-executor.0/5478:
 #0: ffff88806cd22468 (&local->sockets.lock){++++}-{2:2}, at: nfc_llcp_socket_release+0x56/0xb90 net/nfc/llcp_core.c:90
 #1: ffff88806cd5c0b0 (slock-AF_NFC){+.+.}-{2:2}, at: spin_lock include/linux/spinlock.h:351 [inline]
 #1: ffff88806cd5c0b0 (slock-AF_NFC){+.+.}-{2:2}, at: nfc_llcp_socket_release+0xcb/0xb90 net/nfc/llcp_core.c:95
stack backtrace:
CPU: 0 PID: 5478 Comm: syz-executor.0 Tainted: G        W          6.7.0-rc2-syzkaller-00198-g7ac1c88a5daa #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106
 print_lock_invalid_wait_context kernel/locking/lockdep.c:4750 [inline]
 check_wait_context kernel/locking/lockdep.c:4820 [inline]
 __lock_acquire+0x1825/0x7f70 kernel/locking/lockdep.c:5086
 lock_acquire+0x1e3/0x520 kernel/locking/lockdep.c:5753
 __mutex_lock_common kernel/locking/mutex.c:603 [inline]
 __mutex_lock+0x136/0xd60 kernel/locking/mutex.c:747
 nfc_llcp_sock_close net/nfc/llcp_core.c:33 [inline]
 nfc_llcp_socket_release+0x498/0xb90 net/nfc/llcp_core.c:120
 local_cleanup+0x28/0xe0 net/nfc/llcp_core.c:161
 nfc_llcp_unregister_device+0x160/0x240 net/nfc/llcp_core.c:1655
 nfc_unregister_device+0x167/0x2a0 net/nfc/core.c:1179
 virtual_ncidev_close+0x59/0x90 drivers/nfc/virtual_ncidev.c:163
 __fput+0x3cc/0xa10 fs/file_table.c:394
 __do_sys_close fs/open.c:1590 [inline]
 __se_sys_close+0x15f/0x220 fs/open.c:1575
 do_syscall_x64 arch/x86/entry/common.c:51 [inline]
 do_syscall_64+0x44/0x110 arch/x86/entry/common.c:82
 entry_SYSCALL_64_after_hwframe+0x63/0x6b
RIP: 0033:0x7fe8ddc7b9da
Code: 48 3d 00 f0 ff ff 77 48 c3 0f 1f 80 00 00 00 00 48 83 ec 18 89 7c 24 0c e8 03 7f 02 00 8b 7c 24 0c 89 c2 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 36 89 d7 89 44 24 0c e8 63 7f 02 00 8b 44 24
RSP: 002b:00007fffdaf3d080 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007fe8ddc7b9da
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
RBP: 00007fe8ddd9d980 R08: 0000001b2e060000 R09: 00007fffdaf810b0
R10: 00007fffdaf81080 R11: 0000000000000293 R12: 00000000000151df
R13: ffffffffffffffff R14: 00007fe8dd800000 R15: 0000000000014e9e
 </TASK>


Tested on:

commit:         7ac1c88a lock
git tree:       https://github.com/siddhpant/linux.git lock
console output: https://syzkaller.appspot.com/x/log.txt?x=11f333af680000
kernel config:  https://syzkaller.appspot.com/x/.config?x=1e6a76f6c7029ca2
dashboard link: https://syzkaller.appspot.com/bug?extid=bbe84a4010eeea00982d
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40

Note: no patches were applied.

next prev parent reply	other threads:[~2023-11-25 17:33 UTC|newest]

Thread overview: 45+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-11-09  8:36 [syzbot] [net?] [nfc?] KASAN: slab-use-after-free Read in nfc_alloc_send_skb syzbot
2023-11-13 12:04 ` Siddh Raman Pant
2023-11-13 13:33   ` syzbot
2023-11-13 12:43 ` Siddh Raman Pant
2023-11-13 13:48   ` syzbot
2023-11-14 12:06 ` Siddh Raman Pant
2023-11-14 12:31   ` syzbot
2023-11-16 16:55 ` Siddh Raman Pant
2023-11-17 12:48   ` Krzysztof Kozlowski
2023-11-17 13:17     ` Siddh Raman Pant
2023-11-25 17:17 ` Siddh Raman Pant
2023-11-25 17:33   ` syzbot [this message]
2023-11-25 18:18     ` Siddh Raman Pant
2023-11-25 18:54       ` syzbot
2023-11-25 19:06         ` Siddh Raman Pant
2023-11-25 19:45           ` syzbot
2023-12-02 14:12 ` Siddh Raman Pant
2023-12-02 14:37   ` syzbot
2023-12-02 14:14 ` Siddh Raman Pant
2023-12-02 14:56   ` syzbot
2023-12-03 18:22 ` Siddh Raman Pant
2023-12-03 18:46   ` syzbot
2023-12-09  9:27 ` Siddh Raman Pant
2023-12-09  9:44   ` syzbot
2023-12-09  9:55     ` Siddh Raman Pant
2023-12-09 10:20       ` syzbot
2023-12-09 10:39         ` Siddh Raman Pant
2023-12-09 11:03           ` syzbot
2023-12-11  8:44           ` Paolo Abeni
2023-12-12 18:11 ` Siddh Raman Pant
2023-12-12 18:48   ` syzbot
2023-12-17 12:40 ` Siddh Raman Pant
2023-12-17 13:08   ` syzbot
2023-12-18 19:00 ` Siddh Raman Pant
2023-12-19  1:26   ` syzbot
     [not found] <tencent_226A496623B3645B9762576606DE537BE305@qq.com>
2023-11-09 13:02 ` syzbot
     [not found] <tencent_074AC2742F77F567E83C53362096E4365C09@qq.com>
2023-11-09 13:51 ` syzbot
     [not found] <tencent_F3556E8C96D4E90EEEAACFF07A626DBC2D0A@qq.com>
2023-11-09 14:30 ` syzbot
     [not found] <tencent_EA791774C6CBD367236D297003A84441F705@qq.com>
2023-11-09 14:51 ` syzbot
     [not found] <20231109190331.107211-1-kdipendra88@gmail.com>
2023-11-09 19:19 ` syzbot
     [not found] <20231110005229.2333509-1-lizhi.xu@windriver.com>
2023-11-10  1:12 ` syzbot
     [not found] <20231110063236.964222-1-lizhi.xu@windriver.com>
2023-11-10  9:57 ` syzbot
     [not found] <tencent_86284A9674717691670C3DBF360C96CA3609@qq.com>
2023-11-10 11:56 ` syzbot
     [not found] <20231110113921.1500-1-hdanton@sina.com>
2023-11-10 12:19 ` syzbot
     [not found] <tencent_EA64176726C1D373637A296B63AB444FD705@qq.com>
2023-11-10 12:47 ` syzbot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=0000000000005abf1f060afd76bd@google.com \
    --to=syzbot+bbe84a4010eeea00982d@syzkaller.appspotmail.com \
    --cc=code@siddh.me \
    --cc=linux-kernel@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=syzkaller-bugs@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.