* KASAN: use-after-free Read in update_blocked_averages @ 2018-11-11 18:18 syzbot 2018-11-11 18:24 ` Dmitry Vyukov 2019-03-21 3:34 ` syzbot 0 siblings, 2 replies; 4+ messages in thread From: syzbot @ 2018-11-11 18:18 UTC (permalink / raw) To: linux-kernel, syzkaller-bugs Hello, syzbot found the following crash on: HEAD commit: 12ceaf8864c2 infiniband: nes: Fix more direct skb list acc.. git tree: net-next console output: https://syzkaller.appspot.com/x/log.txt?x=15a82783400000 kernel config: https://syzkaller.appspot.com/x/.config?x=dcbea7daf3ea3e3e dashboard link: https://syzkaller.appspot.com/bug?extid=0dbf864d3b52555e8265 compiler: gcc (GCC) 8.0.1 20180413 (experimental) syz repro: https://syzkaller.appspot.com/x/repro.syz?x=137ae6d5400000 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15dbd77b400000 IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+0dbf864d3b52555e8265@syzkaller.appspotmail.com IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready 8021q: adding VLAN 0 to HW filter on device team0 ================================================================== BUG: KASAN: use-after-free in skip_blocked_update kernel/sched/fair.c:3324 [inline] BUG: KASAN: use-after-free in update_blocked_averages+0x1533/0x1e00 kernel/sched/fair.c:7400 kasan: CONFIG_KASAN_INLINE enabled Read of size 8 at addr ffff8801bf0d6ea0 by task syz-executor841/6015 kasan: GPF could be caused by NULL-ptr deref or user memory access CPU: 1 PID: 6015 Comm: syz-executor841 Not tainted 4.20.0-rc1+ #289 general protection fault: 0000 [#1] PREEMPT SMP KASAN Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 CPU: 0 PID: 6272 Comm: syz-executor841 Not tainted 4.20.0-rc1+ #289 Call Trace: Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x244/0x39d lib/dump_stack.c:113 RIP: 0010:vmalloc_fault+0x426/0x770 arch/x86/mm/fault.c:405 Code: e0 e8 fe 25 47 00 48 b8 00 00 00 00 00 88 ff ff 48 ba 00 00 00 00 00 fc ff df 48 01 c3 4d 21 e5 4c 01 eb 48 89 d9 48 c1 e9 03 <80> 3c 11 00 0f 85 b2 02 00 00 48 8b 1b 31 ff 49 89 dc 49 83 e4 9f RSP: 0018:ffff8801d9d624c8 EFLAGS: 00010002 RAX: ffff880000000000 RBX: 000f100180000040 RCX: 0001e20030000008 print_address_description.cold.7+0x9/0x1ff mm/kasan/report.c:256 RDX: dffffc0000000000 RSI: ffffffff813864c2 RDI: 0000000000000007 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report.cold.8+0x242/0x309 mm/kasan/report.c:412 RBP: ffff8801d9d624f8 R08: ffff8801bbb56700 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 000fffffc0000000 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433 R13: 000f880180000000 R14: ffffc90001159838 R15: 1ffffffff12a3f98 skip_blocked_update kernel/sched/fair.c:3324 [inline] update_blocked_averages+0x1533/0x1e00 kernel/sched/fair.c:7400 FS: 0000000001f7d880(0000) GS:ffff8801dae00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffc90001159838 CR3: 00000001ba705000 CR4: 00000000001406f0 Call Trace: Modules linked in: ---[ end trace f6450057874cc9c7 ]--- RIP: 0010:vmalloc_fault+0x426/0x770 arch/x86/mm/fault.c:405 Code: e0 e8 fe 25 47 00 48 b8 00 00 00 00 00 88 ff ff 48 ba 00 00 00 00 00 fc ff df 48 01 c3 4d 21 e5 4c 01 eb 48 89 d9 48 c1 e9 03 <80> 3c 11 00 0f 85 b2 02 00 00 48 8b 1b 31 ff 49 89 dc 49 83 e4 9f RSP: 0018:ffff8801d9d624c8 EFLAGS: 00010002 RAX: ffff880000000000 RBX: 000f100180000040 RCX: 0001e20030000008 RDX: dffffc0000000000 RSI: ffffffff813864c2 RDI: 0000000000000007 RBP: ffff8801d9d624f8 R08: ffff8801bbb56700 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 000fffffc0000000 R13: 000f880180000000 R14: ffffc90001159838 R15: 1ffffffff12a3f98 FS: 0000000001f7d880(0000) GS:ffff8801dae00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffc90001159838 CR3: 00000001ba705000 CR4: 00000000001406f0 --- This bug is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkaller@googlegroups.com. syzbot will keep track of this bug report. See: https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with syzbot. syzbot can test patches for this bug, for details see: https://goo.gl/tpsmEJ#testing-patches ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: KASAN: use-after-free Read in update_blocked_averages 2018-11-11 18:18 KASAN: use-after-free Read in update_blocked_averages syzbot @ 2018-11-11 18:24 ` Dmitry Vyukov 2019-03-21 3:34 ` syzbot 1 sibling, 0 replies; 4+ messages in thread From: Dmitry Vyukov @ 2018-11-11 18:24 UTC (permalink / raw) To: syzbot; +Cc: LKML, syzkaller-bugs, netdev On Sun, Nov 11, 2018 at 10:18 AM, syzbot <syzbot+0dbf864d3b52555e8265@syzkaller.appspotmail.com> wrote: > Hello, > > syzbot found the following crash on: > > HEAD commit: 12ceaf8864c2 infiniband: nes: Fix more direct skb list acc.. > git tree: net-next > console output: https://syzkaller.appspot.com/x/log.txt?x=15a82783400000 > kernel config: https://syzkaller.appspot.com/x/.config?x=dcbea7daf3ea3e3e > dashboard link: https://syzkaller.appspot.com/bug?extid=0dbf864d3b52555e8265 > compiler: gcc (GCC) 8.0.1 20180413 (experimental) > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=137ae6d5400000 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15dbd77b400000 Looking at the reproducer this looks network related, +netdev r0 = socket$inet6(0xa, 0x2, 0x0) connect$inet6(r0, &(0x7f0000000100)={0xa, 0x0, 0x0, @dev, 0x6}, 0x1c) connect$inet6(r0, &(0x7f0000000580)={0xa, 0x4e22, 0x0, @ipv4={[], [], @local}}, 0x1c) sendmmsg(r0, &(0x7f00000092c0), 0x4ff, 0x0) > IMPORTANT: if you fix the bug, please add the following tag to the commit: > Reported-by: syzbot+0dbf864d3b52555e8265@syzkaller.appspotmail.com > > IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready > IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready > IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready > 8021q: adding VLAN 0 to HW filter on device team0 > ================================================================== > BUG: KASAN: use-after-free in skip_blocked_update kernel/sched/fair.c:3324 > [inline] > BUG: KASAN: use-after-free in update_blocked_averages+0x1533/0x1e00 > kernel/sched/fair.c:7400 > kasan: CONFIG_KASAN_INLINE enabled > Read of size 8 at addr ffff8801bf0d6ea0 by task syz-executor841/6015 > > kasan: GPF could be caused by NULL-ptr deref or user memory access > CPU: 1 PID: 6015 Comm: syz-executor841 Not tainted 4.20.0-rc1+ #289 > general protection fault: 0000 [#1] PREEMPT SMP KASAN > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > Google 01/01/2011 > CPU: 0 PID: 6272 Comm: syz-executor841 Not tainted 4.20.0-rc1+ #289 > Call Trace: > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > Google 01/01/2011 > __dump_stack lib/dump_stack.c:77 [inline] > dump_stack+0x244/0x39d lib/dump_stack.c:113 > RIP: 0010:vmalloc_fault+0x426/0x770 arch/x86/mm/fault.c:405 > Code: e0 e8 fe 25 47 00 48 b8 00 00 00 00 00 88 ff ff 48 ba 00 00 00 00 00 > fc ff df 48 01 c3 4d 21 e5 4c 01 eb 48 89 d9 48 c1 e9 03 <80> 3c 11 00 0f 85 > b2 02 00 00 48 8b 1b 31 ff 49 89 dc 49 83 e4 9f > RSP: 0018:ffff8801d9d624c8 EFLAGS: 00010002 > RAX: ffff880000000000 RBX: 000f100180000040 RCX: 0001e20030000008 > print_address_description.cold.7+0x9/0x1ff mm/kasan/report.c:256 > RDX: dffffc0000000000 RSI: ffffffff813864c2 RDI: 0000000000000007 > kasan_report_error mm/kasan/report.c:354 [inline] > kasan_report.cold.8+0x242/0x309 mm/kasan/report.c:412 > RBP: ffff8801d9d624f8 R08: ffff8801bbb56700 R09: 0000000000000000 > R10: 0000000000000000 R11: 0000000000000000 R12: 000fffffc0000000 > __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433 > R13: 000f880180000000 R14: ffffc90001159838 R15: 1ffffffff12a3f98 > skip_blocked_update kernel/sched/fair.c:3324 [inline] > update_blocked_averages+0x1533/0x1e00 kernel/sched/fair.c:7400 > FS: 0000000001f7d880(0000) GS:ffff8801dae00000(0000) knlGS:0000000000000000 > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > CR2: ffffc90001159838 CR3: 00000001ba705000 CR4: 00000000001406f0 > Call Trace: > Modules linked in: > ---[ end trace f6450057874cc9c7 ]--- > RIP: 0010:vmalloc_fault+0x426/0x770 arch/x86/mm/fault.c:405 > Code: e0 e8 fe 25 47 00 48 b8 00 00 00 00 00 88 ff ff 48 ba 00 00 00 00 00 > fc ff df 48 01 c3 4d 21 e5 4c 01 eb 48 89 d9 48 c1 e9 03 <80> 3c 11 00 0f 85 > b2 02 00 00 48 8b 1b 31 ff 49 89 dc 49 83 e4 9f > RSP: 0018:ffff8801d9d624c8 EFLAGS: 00010002 > RAX: ffff880000000000 RBX: 000f100180000040 RCX: 0001e20030000008 > RDX: dffffc0000000000 RSI: ffffffff813864c2 RDI: 0000000000000007 > RBP: ffff8801d9d624f8 R08: ffff8801bbb56700 R09: 0000000000000000 > R10: 0000000000000000 R11: 0000000000000000 R12: 000fffffc0000000 > R13: 000f880180000000 R14: ffffc90001159838 R15: 1ffffffff12a3f98 > FS: 0000000001f7d880(0000) GS:ffff8801dae00000(0000) knlGS:0000000000000000 > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > CR2: ffffc90001159838 CR3: 00000001ba705000 CR4: 00000000001406f0 > > > --- > This bug is generated by a bot. It may contain errors. > See https://goo.gl/tpsmEJ for more information about syzbot. > syzbot engineers can be reached at syzkaller@googlegroups.com. > > syzbot will keep track of this bug report. See: > https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with > syzbot. > syzbot can test patches for this bug, for details see: > https://goo.gl/tpsmEJ#testing-patches > > -- > You received this message because you are subscribed to the Google Groups > "syzkaller-bugs" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to syzkaller-bugs+unsubscribe@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/syzkaller-bugs/000000000000fd464c057a679adb%40google.com. > For more options, visit https://groups.google.com/d/optout. ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: KASAN: use-after-free Read in update_blocked_averages 2018-11-11 18:18 KASAN: use-after-free Read in update_blocked_averages syzbot 2018-11-11 18:24 ` Dmitry Vyukov @ 2019-03-21 3:34 ` syzbot 2019-03-21 6:01 ` Dmitry Vyukov 1 sibling, 1 reply; 4+ messages in thread From: syzbot @ 2019-03-21 3:34 UTC (permalink / raw) To: davem, dvyukov, kuznet, linux-kernel, netdev, sbrivio, sd, syzkaller-bugs, yoshfuji syzbot has bisected this bug to: commit b8a51b38e4d4dec3e379d52c0fe1a66827f7cf1e Author: Stefano Brivio <sbrivio@redhat.com> Date: Thu Nov 8 11:19:23 2018 +0000 fou, fou6: ICMP error handlers for FoU and GUE bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=11e33c17200000 start commit: b8a51b38 fou, fou6: ICMP error handlers for FoU and GUE git tree: net-next final crash: https://syzkaller.appspot.com/x/report.txt?x=13e33c17200000 console output: https://syzkaller.appspot.com/x/log.txt?x=15e33c17200000 kernel config: https://syzkaller.appspot.com/x/.config?x=dcbea7daf3ea3e3e dashboard link: https://syzkaller.appspot.com/bug?extid=0dbf864d3b52555e8265 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=137ae6d5400000 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15dbd77b400000 Reported-by: syzbot+0dbf864d3b52555e8265@syzkaller.appspotmail.com Fixes: b8a51b38 ("fou, fou6: ICMP error handlers for FoU and GUE") ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: KASAN: use-after-free Read in update_blocked_averages 2019-03-21 3:34 ` syzbot @ 2019-03-21 6:01 ` Dmitry Vyukov 0 siblings, 0 replies; 4+ messages in thread From: Dmitry Vyukov @ 2019-03-21 6:01 UTC (permalink / raw) To: syzbot Cc: David Miller, Alexey Kuznetsov, LKML, netdev, Stefano Brivio, Sabrina Dubroca, syzkaller-bugs, Hideaki YOSHIFUJI On Thu, Mar 21, 2019 at 4:34 AM syzbot <syzbot+0dbf864d3b52555e8265@syzkaller.appspotmail.com> wrote: > > syzbot has bisected this bug to: > > commit b8a51b38e4d4dec3e379d52c0fe1a66827f7cf1e > Author: Stefano Brivio <sbrivio@redhat.com> > Date: Thu Nov 8 11:19:23 2018 +0000 > > fou, fou6: ICMP error handlers for FoU and GUE > > bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=11e33c17200000 > start commit: b8a51b38 fou, fou6: ICMP error handlers for FoU and GUE > git tree: net-next > final crash: https://syzkaller.appspot.com/x/report.txt?x=13e33c17200000 > console output: https://syzkaller.appspot.com/x/log.txt?x=15e33c17200000 > kernel config: https://syzkaller.appspot.com/x/.config?x=dcbea7daf3ea3e3e > dashboard link: https://syzkaller.appspot.com/bug?extid=0dbf864d3b52555e8265 > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=137ae6d5400000 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15dbd77b400000 > > Reported-by: syzbot+0dbf864d3b52555e8265@syzkaller.appspotmail.com > Fixes: b8a51b38 ("fou, fou6: ICMP error handlers for FoU and GUE") That commit caused lots of crashes that look completely differently. Now all that is fixed. The last crash for this bugs happened 2+ months ago. So let's just do: #syz fix: fou: Prevent unbounded recursion in GUE error handler also with UDP-Lite ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2019-03-21 6:01 UTC | newest] Thread overview: 4+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2018-11-11 18:18 KASAN: use-after-free Read in update_blocked_averages syzbot 2018-11-11 18:24 ` Dmitry Vyukov 2019-03-21 3:34 ` syzbot 2019-03-21 6:01 ` Dmitry Vyukov
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox