KASAN: use-after-free Read in x25_device_event

All of lore.kernel.org
 help / color / mirror / Atom feed

From: syzbot <syzbot+04babcefcd396fabec37@syzkaller.appspotmail.com>
To: andrew.hendry@gmail.com, davem@davemloft.net,
	dvlasenk@redhat.com, gregkh@linuxfoundation.org,
	linux-kernel@vger.kernel.org, linux-x25@vger.kernel.org,
	ms@dev.tdt.de, netdev@vger.kernel.org,
	syzkaller-bugs@googlegroups.com
Subject: KASAN: use-after-free Read in x25_device_event
Date: Sat, 29 Dec 2018 10:50:03 -0800	[thread overview]
Message-ID: <000000000000cdc755057e2da575@google.com> (raw)

Hello,

syzbot found the following crash on:

HEAD commit:    38355a5f9a22 bnx2x: Fix NULL pointer dereference in bnx2x_..
git tree:       net
console output: https://syzkaller.appspot.com/x/log.txt?x=144e49ed400000
kernel config:  https://syzkaller.appspot.com/x/.config?x=7321a72d3309c029
dashboard link: https://syzkaller.appspot.com/bug?extid=04babcefcd396fabec37
compiler:       gcc (GCC) 8.0.1 20180413 (experimental)

Unfortunately, I don't have any reproducer for this crash yet.

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+04babcefcd396fabec37@syzkaller.appspotmail.com

==================================================================
BUG: KASAN: use-after-free in x25_kill_by_device net/x25/af_x25.c:217  
[inline]
BUG: KASAN: use-after-free in x25_device_event+0x297/0x2b0  
net/x25/af_x25.c:252
Read of size 8 at addr ffff8881b5c85ad0 by task syz-executor2/22350

CPU: 1 PID: 22350 Comm: syz-executor2 Not tainted 4.20.0-rc7+ #248
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011
Call Trace:
  __dump_stack lib/dump_stack.c:77 [inline]
  dump_stack+0x1d3/0x2c6 lib/dump_stack.c:113
  print_address_description.cold.8+0x9/0x1ff mm/kasan/report.c:256
  kasan_report_error mm/kasan/report.c:354 [inline]
  kasan_report.cold.9+0x242/0x309 mm/kasan/report.c:412
  __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
  x25_kill_by_device net/x25/af_x25.c:217 [inline]
  x25_device_event+0x297/0x2b0 net/x25/af_x25.c:252
  notifier_call_chain+0x17e/0x380 kernel/notifier.c:93
  __raw_notifier_call_chain kernel/notifier.c:394 [inline]
  raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401
  call_netdevice_notifiers_info+0x3f/0x90 net/core/dev.c:1733
  call_netdevice_notifiers net/core/dev.c:1751 [inline]
  __dev_notify_flags+0x29b/0x480 net/core/dev.c:7547
  dev_change_flags+0xfd/0x150 net/core/dev.c:7581
  dev_ifsioc+0x7d6/0xa80 net/core/dev_ioctl.c:237
  dev_ioctl+0x1b5/0xcc0 net/core/dev_ioctl.c:488
  sock_do_ioctl+0x1f6/0x420 net/socket.c:973
  sock_ioctl+0x313/0x690 net/socket.c:1074
  vfs_ioctl fs/ioctl.c:46 [inline]
  file_ioctl fs/ioctl.c:509 [inline]
  do_vfs_ioctl+0x1de/0x1790 fs/ioctl.c:696
  ksys_ioctl+0xa9/0xd0 fs/ioctl.c:713
  __do_sys_ioctl fs/ioctl.c:720 [inline]
  __se_sys_ioctl fs/ioctl.c:718 [inline]
  __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:718
  do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
  entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x457759
Code: fd b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7  
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff  
ff 0f 83 cb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f4c06d4fc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000457759
RDX: 00000000200005c0 RSI: 0000000000008914 RDI: 0000000000000005
RBP: 000000000073bfa0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f4c06d506d4
R13: 00000000004c2c32 R14: 00000000004d52f8 R15: 00000000ffffffff

Allocated by task 10606:
  save_stack+0x43/0xd0 mm/kasan/kasan.c:448
  set_track mm/kasan/kasan.c:460 [inline]
  kasan_kmalloc+0xc7/0xe0 mm/kasan/kasan.c:553
  kmem_cache_alloc_trace+0x152/0x750 mm/slab.c:3620
  kmalloc include/linux/slab.h:546 [inline]
  x25_link_device_up+0xb2/0x500 net/x25/x25_link.c:249
  x25_device_event+0x116/0x2b0 net/x25/af_x25.c:242
  notifier_call_chain+0x17e/0x380 kernel/notifier.c:93
  __raw_notifier_call_chain kernel/notifier.c:394 [inline]
  raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401
  call_netdevice_notifiers_info+0x3f/0x90 net/core/dev.c:1733
  call_netdevice_notifiers net/core/dev.c:1751 [inline]
  __dev_notify_flags+0x17a/0x480 net/core/dev.c:7545
  dev_change_flags+0xfd/0x150 net/core/dev.c:7581
  dev_ifsioc+0x7d6/0xa80 net/core/dev_ioctl.c:237
  dev_ioctl+0x1b5/0xcc0 net/core/dev_ioctl.c:488
  sock_do_ioctl+0x1f6/0x420 net/socket.c:973
  sock_ioctl+0x313/0x690 net/socket.c:1074
  vfs_ioctl fs/ioctl.c:46 [inline]
  file_ioctl fs/ioctl.c:509 [inline]
  do_vfs_ioctl+0x1de/0x1790 fs/ioctl.c:696
  ksys_ioctl+0xa9/0xd0 fs/ioctl.c:713
  __do_sys_ioctl fs/ioctl.c:720 [inline]
  __se_sys_ioctl fs/ioctl.c:718 [inline]
  __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:718
  do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
  entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 22299:
  save_stack+0x43/0xd0 mm/kasan/kasan.c:448
  set_track mm/kasan/kasan.c:460 [inline]
  __kasan_slab_free+0x102/0x150 mm/kasan/kasan.c:521
  kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
  __cache_free mm/slab.c:3498 [inline]
  kfree+0xcf/0x230 mm/slab.c:3817
  x25_neigh_put include/net/x25.h:253 [inline]
  __x25_remove_neigh+0x233/0x310 net/x25/x25_link.c:290
  x25_link_device_down+0xc7/0x130 net/x25/x25_link.c:308
  x25_device_event+0x262/0x2b0 net/x25/af_x25.c:254
  notifier_call_chain+0x17e/0x380 kernel/notifier.c:93
  __raw_notifier_call_chain kernel/notifier.c:394 [inline]
  raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401
  call_netdevice_notifiers_info+0x3f/0x90 net/core/dev.c:1733
  call_netdevice_notifiers net/core/dev.c:1751 [inline]
  __dev_notify_flags+0x29b/0x480 net/core/dev.c:7547
  dev_change_flags+0xfd/0x150 net/core/dev.c:7581
  dev_ifsioc+0x7d6/0xa80 net/core/dev_ioctl.c:237
  dev_ioctl+0x1b5/0xcc0 net/core/dev_ioctl.c:488
  sock_do_ioctl+0x1f6/0x420 net/socket.c:973
  sock_ioctl+0x313/0x690 net/socket.c:1074
  vfs_ioctl fs/ioctl.c:46 [inline]
  file_ioctl fs/ioctl.c:509 [inline]
  do_vfs_ioctl+0x1de/0x1790 fs/ioctl.c:696
  ksys_ioctl+0xa9/0xd0 fs/ioctl.c:713
  __do_sys_ioctl fs/ioctl.c:720 [inline]
  __se_sys_ioctl fs/ioctl.c:718 [inline]
  __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:718
  do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
  entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at ffff8881b5c85ac0
  which belongs to the cache kmalloc-256 of size 256
The buggy address is located 16 bytes inside of
  256-byte region [ffff8881b5c85ac0, ffff8881b5c85bc0)
The buggy address belongs to the page:
page:ffffea0006d72140 count:1 mapcount:0 mapping:ffff8881da8007c0  
index:0xffff8881b5c85e80
flags: 0x2fffc0000000200(slab)
raw: 02fffc0000000200 ffffea00075f33c8 ffffea000731be48 ffff8881da8007c0
raw: ffff8881b5c85e80 ffff8881b5c850c0 0000000100000008 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
  ffff8881b5c85980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
  ffff8881b5c85a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff8881b5c85a80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
                                                  ^
  ffff8881b5c85b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
  ffff8881b5c85b80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
==================================================================


---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with  
syzbot.

next             reply	other threads:[~2018-12-29 18:50 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-12-29 18:50 syzbot [this message]
2019-03-10 14:56 ` KASAN: use-after-free Read in x25_device_event syzbot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=000000000000cdc755057e2da575@google.com \
    --to=syzbot+04babcefcd396fabec37@syzkaller.appspotmail.com \
    --cc=andrew.hendry@gmail.com \
    --cc=davem@davemloft.net \
    --cc=dvlasenk@redhat.com \
    --cc=gregkh@linuxfoundation.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-x25@vger.kernel.org \
    --cc=ms@dev.tdt.de \
    --cc=netdev@vger.kernel.org \
    --cc=syzkaller-bugs@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.