Hello,
syzbot tried to test the proposed patch but build/boot failed:
]
_raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:144
spin_lock include/linux/spinlock.h:310 [inline]
ptr_ring_consume include/linux/ptr_ring.h:335 [inline]
ptr_ring_cleanup include/linux/ptr_ring.h:671 [inline]
tun_chr_close+0x334/0x6e0 drivers/net/tun.c:3248
__fput+0x34d/0x890 fs/file_table.c:209
____fput+0x15/0x20 fs/file_table.c:243
task_work_run+0x1e4/0x290 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:191 [inline]
exit_to_usermode_loop+0x2bd/0x310 arch/x86/entry/common.c:166
prepare_exit_to_usermode arch/x86/entry/common.c:196 [inline]
syscall_return_slowpath arch/x86/entry/common.c:265 [inline]
do_syscall_64+0x6ac/0x800 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x47fc44
RSP: 002b:000000c420135550 EFLAGS: 00000246 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 000000000047fc44
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
RBP: 000000c420135598 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000c42017ca32
R13: 000000c42017ca37 R14: 000000c42017ca30 R15: 000000c42017ca48
Allocated by task 4471:
save_stack+0x43/0xd0 mm/kasan/kasan.c:448
set_track mm/kasan/kasan.c:460 [inline]
kasan_kmalloc+0xc4/0xe0 mm/kasan/kasan.c:553
__do_kmalloc mm/slab.c:3718 [inline]
__kmalloc+0x14e/0x760 mm/slab.c:3727
kmalloc include/linux/slab.h:517 [inline]
sk_prot_alloc+0x1ae/0x2e0 net/core/sock.c:1474
sk_alloc+0x104/0x17b0 net/core/sock.c:1528
tun_chr_open+0xef/0x690 drivers/net/tun.c:3211
misc_open+0x3ca/0x560 drivers/char/misc.c:154
chrdev_open+0x256/0x760 fs/char_dev.c:417
do_dentry_open+0x7ef/0xf10 fs/open.c:784
vfs_open+0x139/0x230 fs/open.c:906
do_last fs/namei.c:3365 [inline]
path_openat+0x1676/0x4e20 fs/namei.c:3501
do_filp_open+0x249/0x350 fs/namei.c:3535
do_sys_open+0x56f/0x740 fs/open.c:1093
__do_sys_openat fs/open.c:1120 [inline]
__se_sys_openat fs/open.c:1114 [inline]
__x64_sys_openat+0x9d/0x100 fs/open.c:1114
do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 4471:
save_stack+0x43/0xd0 mm/kasan/kasan.c:448
set_track mm/kasan/kasan.c:460 [inline]
__kasan_slab_free+0x11a/0x170 mm/kasan/kasan.c:521
kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
__cache_free mm/slab.c:3498 [inline]
kfree+0xd9/0x260 mm/slab.c:3813
sk_prot_free net/core/sock.c:1511 [inline]
__sk_destruct+0x772/0xa40 net/core/sock.c:1593
sk_destruct+0x78/0x90 net/core/sock.c:1601
__sk_free+0x22e/0x340 net/core/sock.c:1612
sk_free+0x42/0x50 net/core/sock.c:1623
sock_put include/net/sock.h:1664 [inline]
__tun_detach+0xacd/0x1170 drivers/net/tun.c:732
tun_detach drivers/net/tun.c:744 [inline]
tun_chr_close+0x596/0x6e0 drivers/net/tun.c:3247
__fput+0x34d/0x890 fs/file_table.c:209
____fput+0x15/0x20 fs/file_table.c:243
task_work_run+0x1e4/0x290 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:191 [inline]
exit_to_usermode_loop+0x2bd/0x310 arch/x86/entry/common.c:166
prepare_exit_to_usermode arch/x86/entry/common.c:196 [inline]
syscall_return_slowpath arch/x86/entry/common.c:265 [inline]
do_syscall_64+0x6ac/0x800 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
The buggy address belongs to the object at ffff8801b335a580
which belongs to the cache kmalloc-2048 of size 2048
The buggy address is located 1760 bytes inside of
2048-byte region [ffff8801b335a580, ffff8801b335ad80)
The buggy address belongs to the page:
page:ffffea0006ccd680 count:1 mapcount:0 mapping:ffff8801b335a580 index:0x0
compound_mapcount: 0
flags: 0x2fffc0000008100(slab|head)
raw: 02fffc0000008100 ffff8801b335a580 0000000000000000 0000000100000003
raw: ffffea0006ca5da0 ffffea0006b572a0 ffff8801da800c40 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8801b335ab00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8801b335ab80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff8801b335ac00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8801b335ac80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8801b335ad00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
[....] Starting enhanced syslogd: rsyslogd [?25l [?1c 7 [1G[ [32m ok
[39;49m 8 [?25h [?0c.
[....] Starting periodic command scheduler: cron [?25l [?1c 7 [1G[ [32m ok
[39;49m 8 [?25h [?0c.
[....] Starting OpenBSD Secure Shell server: sshd[ 18.002297] random:
sshd: uninitialized urandom read (32 bytes read)
[?25l [?1c 7 [1G[ [32m ok [39;49m 8 [?25h [?0c.
Debian GNU/Linux 7 syzkaller ttyS0
syzkaller login: [ 21.947302] random: sshd: uninitialized urandom read
(32 bytes read)
[ 22.246962] random: sshd: uninitialized urandom read (32 bytes read)
[ 23.087083] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.10.51' (ECDSA) to the list of known
hosts.
[ 28.630872] random: sshd: uninitialized urandom read (32 bytes read)
2018/05/16 16:28:07 fuzzer started
2018/05/16 16:28:08 connecting to host at
10.128.0.26:46047
2018/05/16 16:28:08 checking config...
[ 52.158714] can: request_module (can-proto-0) failed.
[ 52.168271] can: request_module (can-proto-0) failed.
[ 52.836690]
==================================================================
[ 52.844104] BUG: KASAN: use-after-free in __lock_acquire+0x3888/0x5140
[ 52.850754] Read of size 8 at addr ffff8801b335ac60 by task
syz-fuzzer/4471
[ 52.857828]
[ 52.859457] CPU: 1 PID: 4471 Comm: syz-fuzzer Not tainted 4.17.0-rc4+ #1
[ 52.866272] Hardware name: Google Google Compute Engine/Google Compute
Engine, BIOS Google 01/01/2011
[ 52.875601] Call Trace:
[ 52.878171] dump_stack+0x1b9/0x294
[ 52.881784] ? dump_stack_print_info.cold.2+0x52/0x52
[ 52.886952] ? printk+0x9e/0xba
[ 52.890209] ? kmsg_dump_rewind_nolock+0xe4/0xe4
[ 52.894944] ? kasan_check_write+0x14/0x20
[ 52.899156] print_address_description+0x6c/0x20b
[ 52.903977] ? __lock_acquire+0x3888/0x5140
[ 52.908282] kasan_report.cold.7+0x242/0x2fe
[ 52.912669] __asan_report_load8_noabort+0x14/0x20
[ 52.917585] __lock_acquire+0x3888/0x5140
[ 52.921712] ? kasan_check_write+0x14/0x20
[ 52.925926] ? __mutex_unlock_slowpath+0x180/0x8a0
[ 52.930837] ? __sk_destruct+0x70b/0xa40
[ 52.934885] ? wait_for_completion+0x870/0x870
[ 52.939445] ? debug_check_no_locks_freed+0x310/0x310
[ 52.944622] ? __mutex_lock+0x7d9/0x17f0
[ 52.948662] ? rtnl_lock+0x17/0x20
[ 52.952180] ? print_usage_bug+0xc0/0xc0
[ 52.956221] ? mutex_trylock+0x2a0/0x2a0
[ 52.960263] ? mutex_unlock+0xd/0x10
[ 52.963957] ? __rtnl_unlock+0x7e/0x90
[ 52.967825] ? netdev_run_todo+0x747/0xa50
[ 52.972050] ? refcount_inc_not_zero+0x2d0/0x2d0
[ 52.976784] ? refcount_inc_not_zero+0x2d0/0x2d0
[ 52.981517] ? register_netdev+0x50/0x50
[ 52.985561] ? sk_destruct+0x7d/0x90
[ 52.989254] ? __sk_free+0x233/0x340
[ 52.992944] ? sk_free+0x47/0x50
[ 52.996289] ? __tun_detach+0x1a3/0x1170
[ 53.000327] ? debug_check_no_locks_freed+0x310/0x310
[ 53.005505] ? tun_attach+0x1720/0x1720
[ 53.009457] lock_acquire+0x1dc/0x520
[ 53.013236] ? tun_chr_close+0x334/0x6e0
[ 53.017278] ? lock_release+0xa10/0xa10
[ 53.021231] ? __lock_is_held+0xb5/0x140
[ 53.025272] ? __tun_detach+0x1170/0x1170
[ 53.029408] _raw_spin_lock+0x2a/0x40
[ 53.033189] ? tun_chr_close+0x334/0x6e0
[ 53.037240] tun_chr_close+0x334/0x6e0
[ 53.041108] ? fcntl_setlk+0x1020/0x1020
[ 53.045147] ? __tun_detach+0x1170/0x1170
[ 53.049271] ? fsnotify+0xfc0/0xfc0
[ 53.052875] ? fsnotify_first_mark+0x330/0x330
[ 53.057447] ? __might_sleep+0x95/0x190
[ 53.061400] ? __tun_detach+0x1170/0x1170
[ 53.065535] __fput+0x34d/0x890
[ 53.068792] ? fput+0x1a0/0x1a0
[ 53.072051] ? _raw_spin_unlock_irq+0x27/0x70
[ 53.076541] ____fput+0x15/0x20
[ 53.079818] task_work_run+0x1e4/0x290
[ 53.083685] ? task_work_cancel+0x240/0x240
[ 53.087995] ? exit_to_usermode_loop+0x87/0x310
[ 53.092642] exit_to_usermode_loop+0x2bd/0x310
[ 53.097199] ? syscall_slow_exit_work+0x4f0/0x4f0
[ 53.102033] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[ 53.107552] do_syscall_64+0x6ac/0x800
[ 53.111420] ? syscall_slow_exit_work+0x4f0/0x4f0
[ 53.116242] ? syscall_return_slowpath+0x5c0/0x5c0
[ 53.121152] ? syscall_return_slowpath+0x30f/0x5c0
[ 53.126062] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe
[ 53.131409] ? trace_hardirqs_off_thunk+0x1a/0x1c
[ 53.136232] entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 53.141401] RIP: 0033:0x47fc44
[ 53.144567] RSP: 002b:000000c420135550 EFLAGS: 00000246 ORIG_RAX:
0000000000000003
[ 53.152260] RAX: 0000000000000000 RBX: 0000000000000000 RCX:
000000000047fc44
[ 53.159508] RDX: 0000000000000000 RSI: 0000000000000000 RDI:
0000000000000003
[ 53.166771] RBP: 000000c420135598 R08: 0000000000000000 R09:
0000000000000000
[ 53.174030] R10: 0000000000000000 R11: 0000000000000246 R12:
000000c42017ca32
[ 53.181279] R13: 000000c42017ca37 R14: 000000c42017ca30 R15:
000000c42017ca48
[ 53.188532]
[ 53.190147] Allocated by task 4471:
[ 53.193754] save_stack+0x43/0xd0
[ 53.197195] kasan_kmalloc+0xc4/0xe0
[ 53.200888] __kmalloc+0x14e/0x760
[ 53.204404] sk_prot_alloc+0x1ae/0x2e0
[ 53.208268] sk_alloc+0x104/0x17b0
[ 53.211784] tun_chr_open+0xef/0x690
[ 53.215478] misc_open+0x3ca/0x560
[ 53.218997] chrdev_open+0x256/0x760
[ 53.222691] do_dentry_open+0x7ef/0xf10
[ 53.226656] vfs_open+0x139/0x230
[ 53.230100] path_openat+0x1676/0x4e20
[ 53.233970] do_filp_open+0x249/0x350
[ 53.237748] do_sys_open+0x56f/0x740
[ 53.241441] __x64_sys_openat+0x9d/0x100
[ 53.245480] do_syscall_64+0x1b1/0x800
[ 53.249347] entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 53.254506]
[ 53.256119] Freed by task 4471:
[ 53.259376] save_stack+0x43/0xd0
[ 53.262804] __kasan_slab_free+0x11a/0x170
[ 53.267030] kasan_slab_free+0xe/0x10
[ 53.270808] kfree+0xd9/0x260
[ 53.273890] __sk_destruct+0x772/0xa40
[ 53.277755] sk_destruct+0x78/0x90
[ 53.281271] __sk_free+0x22e/0x340
[ 53.284788] sk_free+0x42/0x50
[ 53.287960] __tun_detach+0xacd/0x1170
[ 53.291825] tun_chr_close+0x596/0x6e0
[ 53.295701] __fput+0x34d/0x890
[ 53.298956] ____fput+0x15/0x20
[ 53.302213] task_work_run+0x1e4/0x290
[ 53.306081] exit_to_usermode_loop+0x2bd/0x310
[ 53.310648] do_syscall_64+0x6ac/0x800
[ 53.314517] entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 53.319684]
[ 53.321293] The buggy address belongs to the object at ffff8801b335a580
[ 53.321293] which belongs to the cache kmalloc-2048 of size 2048
[ 53.334113] The buggy address is located 1760 bytes inside of
[ 53.334113] 2048-byte region [ffff8801b335a580, ffff8801b335ad80)
[ 53.346138] The buggy address belongs to the page:
[ 53.351044] page:ffffea0006ccd680 count:1 mapcount:0
mapping:ffff8801b335a580 index:0x0 compound_mapcount: 0
[ 53.360987] flags: 0x2fffc0000008100(slab|head)
[ 53.365637] raw: 02fffc0000008100 ffff8801b335a580 0000000000000000
0000000100000003
[ 53.373496] raw: ffffea0006ca5da0 ffffea0006b572a0 ffff8801da800c40
0000000000000000
[ 53.381350] page dumped because: kasan: bad access detected
[ 53.387031]
[ 53.388634] Memory state around the buggy address:
[ 53.393539] ffff8801b335ab00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb
fb fb
[ 53.400874] ffff8801b335ab80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb
fb fb
[ 53.408212] >ffff8801b335ac00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb
fb fb
[ 53.415542] ^
[ 53.422028] ffff8801b335ac80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb
fb fb
[ 53.429364] ffff8801b335ad00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb
fb fb
[ 53.436698]
==================================================================
[ 53.444118] Disabling lock debugging due to kernel taint
[ 53.449545] Kernel panic - not syncing: panic_on_warn set ...
[ 53.449545]
[ 53.456890] CPU: 1 PID: 4471 Comm: syz-fuzzer Tainted: G
B 4.17.0-rc4+ #1
[ 53.465095] Hardware name: Google Google Compute Engine/Google Compute
Engine, BIOS Google 01/01/2011
[ 53.474424] Call Trace:
[ 53.476996] dump_stack+0x1b9/0x294
[ 53.480609] ? dump_stack_print_info.cold.2+0x52/0x52
[ 53.485780] ? lock_downgrade+0x8e0/0x8e0
[ 53.489917] ? vprintk_default+0x28/0x30
[ 53.493961] ? __lock_acquire+0x3790/0x5140
[ 53.498270] panic+0x22f/0x4de
[ 53.501441] ? add_taint.cold.5+0x16/0x16
[ 53.505588] ? add_taint.cold.5+0x5/0x16
[ 53.509630] ? do_raw_spin_unlock+0x9e/0x2e0
[ 53.514016] ? __lock_acquire+0x3888/0x5140
[ 53.518317] kasan_end_report+0x47/0x4f
[ 53.522269] kasan_report.cold.7+0x76/0x2fe
[ 53.526573] __asan_report_load8_noabort+0x14/0x20
[ 53.531484] __lock_acquire+0x3888/0x5140
[ 53.535612] ? kasan_check_write+0x14/0x20
[ 53.539827] ? __mutex_unlock_slowpath+0x180/0x8a0
[ 53.544755] ? __sk_destruct+0x70b/0xa40
[ 53.548811] ? wait_for_completion+0x870/0x870
[ 53.553378] ? debug_check_no_locks_freed+0x310/0x310
[ 53.558552] ? __mutex_lock+0x7d9/0x17f0
[ 53.562593] ? rtnl_lock+0x17/0x20
[ 53.566115] ? print_usage_bug+0xc0/0xc0
[ 53.570158] ? mutex_trylock+0x2a0/0x2a0
[ 53.574200] ? mutex_unlock+0xd/0x10
[ 53.577894] ? __rtnl_unlock+0x7e/0x90
[ 53.581761] ? netdev_run_todo+0x747/0xa50
[ 53.585979] ? refcount_inc_not_zero+0x2d0/0x2d0
[ 53.590711] ? refcount_inc_not_zero+0x2d0/0x2d0
[ 53.595445] ? register_netdev+0x50/0x50
[ 53.599489] ? sk_destruct+0x7d/0x90
[ 53.603188] ? __sk_free+0x233/0x340
[ 53.606880] ? sk_free+0x47/0x50
[ 53.610225] ? __tun_detach+0x1a3/0x1170
[ 53.614267] ? debug_check_no_locks_freed+0x310/0x310
[ 53.619434] ? tun_attach+0x1720/0x1720
[ 53.623387] lock_acquire+0x1dc/0x520
[ 53.627174] ? tun_chr_close+0x334/0x6e0
[ 53.631224] ? lock_release+0xa10/0xa10
[ 53.635175] ? __lock_is_held+0xb5/0x140
[ 53.639221] ? __tun_detach+0x1170/0x1170
[ 53.643351] _raw_spin_lock+0x2a/0x40
[ 53.647129] ? tun_chr_close+0x334/0x6e0
[ 53.651178] tun_chr_close+0x334/0x6e0
[ 53.655049] ? fcntl_setlk+0x1020/0x1020
[ 53.659091] ? __tun_detach+0x1170/0x1170
[ 53.663219] ? fsnotify+0xfc0/0xfc0
[ 53.666824] ? fsnotify_first_mark+0x330/0x330
[ 53.671396] ? __might_sleep+0x95/0x190
[ 53.675349] ? __tun_detach+0x1170/0x1170
[ 53.679491] __fput+0x34d/0x890
[ 53.682760] ? fput+0x1a0/0x1a0
[ 53.686022] ? _raw_spin_unlock_irq+0x27/0x70
[ 53.690496] ____fput+0x15/0x20
[ 53.693760] task_work_run+0x1e4/0x290
[ 53.697630] ? task_work_cancel+0x240/0x240
[ 53.701933] ? exit_to_usermode_loop+0x87/0x310
[ 53.706582] exit_to_usermode_loop+0x2bd/0x310
[ 53.711143] ? syscall_slow_exit_work+0x4f0/0x4f0
[ 53.715970] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[ 53.721488] do_syscall_64+0x6ac/0x800
[ 53.725356] ? syscall_slow_exit_work+0x4f0/0x4f0
[ 53.730179] ? syscall_return_slowpath+0x5c0/0x5c0
[ 53.735092] ? syscall_return_slowpath+0x30f/0x5c0
[ 53.740024] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe
[ 53.745368] ? trace_hardirqs_off_thunk+0x1a/0x1c
[ 53.750189] entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 53.755357] RIP: 0033:0x47fc44
[ 53.758524] RSP: 002b:000000c420135550 EFLAGS: 00000246 ORIG_RAX:
0000000000000003
[ 53.766208] RAX: 0000000000000000 RBX: 0000000000000000 RCX:
000000000047fc44
[ 53.773454] RDX: 0000000000000000 RSI: 0000000000000000 RDI:
0000000000000003
[ 53.780706] RBP: 000000c420135598 R08: 0000000000000000 R09:
0000000000000000
[ 53.787959] R10: 0000000000000000 R11: 0000000000000246 R12:
000000c42017ca32
[ 53.795211] R13: 000000c42017ca37 R14: 000000c42017ca30 R15:
000000c42017ca48
[ 53.803002] Dumping ftrace buffer:
[ 53.806523] (ftrace buffer empty)
[ 53.810220] Kernel Offset: disabled
[ 53.813827] Rebooting in 86400 seconds..
Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=135a5197800000
Tested on:
commit: ab452c3ce7ba ipvlan: call netdevice notifier when master m..
git tree: net
kernel config:
https://syzkaller.appspot.com/x/.config?x=3c81463aa207d27f
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
patch:
https://syzkaller.appspot.com/x/patch.diff?x=10a35417800000