KASAN: stack-out-of-bounds Read in refcount_sub_and_test_checked

All of lore.kernel.org
 help / color / mirror / Atom feed

From: syzbot <syzbot+d3ed975648421c381ca4@syzkaller.appspotmail.com>
To: davem@davemloft.net, kuznet@ms2.inr.ac.ru,
	linux-kernel@vger.kernel.org, netdev@vger.kernel.org,
	syzkaller-bugs@googlegroups.com, yoshfuji@linux-ipv6.org
Subject: KASAN: stack-out-of-bounds Read in refcount_sub_and_test_checked
Date: Mon, 26 Nov 2018 12:39:05 -0800	[thread overview]
Message-ID: <000000000000ee41d6057b975283@google.com> (raw)

Hello,

syzbot found the following crash on:

HEAD commit:    358be656406d selftests/net: add txring_overwrite
git tree:       net-next
console output: https://syzkaller.appspot.com/x/log.txt?x=113f8ed5400000
kernel config:  https://syzkaller.appspot.com/x/.config?x=c36a72af2123e78a
dashboard link: https://syzkaller.appspot.com/bug?extid=d3ed975648421c381ca4
compiler:       gcc (GCC) 8.0.1 20180413 (experimental)

Unfortunately, I don't have any reproducer for this crash yet.

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+d3ed975648421c381ca4@syzkaller.appspotmail.com

==================================================================
BUG: KASAN: stack-out-of-bounds in atomic_read  
include/asm-generic/atomic-instrumented.h:21 [inline]
BUG: KASAN: stack-out-of-bounds in refcount_sub_and_test_checked+0x9d/0x310  
lib/refcount.c:179
Read of size 4 at addr ffff8881da9c0bf0 by task udevd/15453

CPU: 1 PID: 15453 Comm: udevd Not tainted 4.20.0-rc3+ #313
PANIC: double fault, error_code: 0x0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011
Call Trace:
  __dump_stack lib/dump_stack.c:77 [inline]
  dump_stack+0x244/0x39d lib/dump_stack.c:113
CPU: 0 PID: 18956 Comm: syz-executor1 Not tainted 4.20.0-rc3+ #313
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011
RIP: 0010:__udp4_lib_lookup+0x25/0x870 net/ipv4/udp.c:466
Code: ff 0f 1f 40 00 55 48 89 e5 41 57 41 56 41 55 49 bd 00 00 00 00 00 fc  
ff df 41 54 53 44 89 c3 48 81 ec 00 01 00 00 48 8b 45 20 <48> 89 bd 28 ff  
ff ff 66 c1 c3 08 4c 8b 65 18 89 b5 1c ff ff ff 89
  print_address_description.cold.7+0x9/0x1ff mm/kasan/report.c:256
RSP: 0018:ffff8881d9a8af98 EFLAGS: 00010282
  kasan_report_error mm/kasan/report.c:354 [inline]
  kasan_report.cold.8+0x242/0x309 mm/kasan/report.c:412
RAX: 0000000000000000 RBX: 000000000000e5be RCX: 00000000111414ac
RDX: 000000000000224e RSI: 00000000aa1414ac RDI: ffff88818b3fc340
  check_memory_region_inline mm/kasan/kasan.c:260 [inline]
  check_memory_region+0x13e/0x1b0 mm/kasan/kasan.c:267
RBP: ffff8881d9a8b0c0 R08: 000000000000e5be R09: 0000000000000001
  kasan_check_read+0x11/0x20 mm/kasan/kasan.c:272
R10: 0000000000000000 R11: ffff8881dae2db3b R12: ffff8881d7835800
  atomic_read include/asm-generic/atomic-instrumented.h:21 [inline]
  refcount_sub_and_test_checked+0x9d/0x310 lib/refcount.c:179
R13: dffffc0000000000 R14: ffff8881d78357ec R15: 0000000000000003
FS:  00007f18ebe99700(0000) GS:ffff8881dae00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff8881d9a8af88 CR3: 000000014f1a9000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
  refcount_dec_and_test_checked+0x1a/0x20 lib/refcount.c:212
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
  kref_put include/linux/kref.h:69 [inline]
  aa_put_label security/apparmor/include/label.h:447 [inline]
  aa_free_file_ctx security/apparmor/include/file.h:75 [inline]
  apparmor_file_free_security+0x115/0x1a0 security/apparmor/lsm.c:450
Call Trace:


---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with  
syzbot.

                 reply	other threads:[~2018-11-26 20:39 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=000000000000ee41d6057b975283@google.com \
    --to=syzbot+d3ed975648421c381ca4@syzkaller.appspotmail.com \
    --cc=davem@davemloft.net \
    --cc=kuznet@ms2.inr.ac.ru \
    --cc=linux-kernel@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=syzkaller-bugs@googlegroups.com \
    --cc=yoshfuji@linux-ipv6.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.