KASAN: null-ptr-deref Read in x25_connect
16 views
Skip to first unread message
syzbot
Jun 11, 2019, 3:17:06 AM6/11/19
to all...@lohutok.net, andrew...@gmail.com, ar...@arndb.de, da...@davemloft.net, edum...@google.com, linux-...@vger.kernel.org, linu...@vger.kernel.org, m...@dev.tdt.de, net...@vger.kernel.org, nho...@tuxdriver.com, syzkall...@googlegroups.com, tg...@linutronix.de
Hello,
syzbot found the following crash on:
HEAD commit: f4cfcfbd net: dsa: sja1105: Fix link speed not working at ..
git tree: net
console output: https://syzkaller.appspot.com/x/log.txt?x=16815cd2a00000
kernel config: https://syzkaller.appspot.com/x/.config?x=4f721a391cd46ea
dashboard link: https://syzkaller.appspot.com/bug?extid=777a2aab6ffd397407b5
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+777a2a...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: null-ptr-deref in atomic_read
include/asm-generic/atomic-instrumented.h:26 [inline]
BUG: KASAN: null-ptr-deref in refcount_sub_and_test_checked+0x87/0x200
lib/refcount.c:182
Read of size 4 at addr 00000000000000c8 by task syz-executor.2/16959
CPU: 0 PID: 16959 Comm: syz-executor.2 Not tainted 5.2.0-rc2+ #40
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x172/0x1f0 lib/dump_stack.c:113
__kasan_report.cold+0x5/0x40 mm/kasan/report.c:321
kasan_report+0x12/0x20 mm/kasan/common.c:614
check_memory_region_inline mm/kasan/generic.c:185 [inline]
check_memory_region+0x123/0x190 mm/kasan/generic.c:191
kasan_check_read+0x11/0x20 mm/kasan/common.c:94
atomic_read include/asm-generic/atomic-instrumented.h:26 [inline]
refcount_sub_and_test_checked+0x87/0x200 lib/refcount.c:182
refcount_dec_and_test_checked+0x1b/0x20 lib/refcount.c:220
x25_neigh_put include/net/x25.h:252 [inline]
x25_connect+0x8d8/0xea0 net/x25/af_x25.c:820
__sys_connect+0x264/0x330 net/socket.c:1840
__do_sys_connect net/socket.c:1851 [inline]
__se_sys_connect net/socket.c:1848 [inline]
__x64_sys_connect+0x73/0xb0 net/socket.c:1848
do_syscall_64+0xfd/0x680 arch/x86/entry/common.c:301
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x459279
Code: fd b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
ff 0f 83 cb b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f09776b4c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000459279
RDX: 0000000000000012 RSI: 0000000020000280 RDI: 0000000000000004
RBP: 000000000075bfc0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f09776b56d4
R13: 00000000004bf854 R14: 00000000004d0e08 R15: 00000000ffffffff
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following crash on:
HEAD commit: f4cfcfbd net: dsa: sja1105: Fix link speed not working at ..
git tree: net
console output: https://syzkaller.appspot.com/x/log.txt?x=16815cd2a00000
kernel config: https://syzkaller.appspot.com/x/.config?x=4f721a391cd46ea
dashboard link: https://syzkaller.appspot.com/bug?extid=777a2aab6ffd397407b5
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+777a2a...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: null-ptr-deref in atomic_read
include/asm-generic/atomic-instrumented.h:26 [inline]
BUG: KASAN: null-ptr-deref in refcount_sub_and_test_checked+0x87/0x200
lib/refcount.c:182
Read of size 4 at addr 00000000000000c8 by task syz-executor.2/16959
CPU: 0 PID: 16959 Comm: syz-executor.2 Not tainted 5.2.0-rc2+ #40
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x172/0x1f0 lib/dump_stack.c:113
__kasan_report.cold+0x5/0x40 mm/kasan/report.c:321
kasan_report+0x12/0x20 mm/kasan/common.c:614
check_memory_region_inline mm/kasan/generic.c:185 [inline]
check_memory_region+0x123/0x190 mm/kasan/generic.c:191
kasan_check_read+0x11/0x20 mm/kasan/common.c:94
atomic_read include/asm-generic/atomic-instrumented.h:26 [inline]
refcount_sub_and_test_checked+0x87/0x200 lib/refcount.c:182
refcount_dec_and_test_checked+0x1b/0x20 lib/refcount.c:220
x25_neigh_put include/net/x25.h:252 [inline]
x25_connect+0x8d8/0xea0 net/x25/af_x25.c:820
__sys_connect+0x264/0x330 net/socket.c:1840
__do_sys_connect net/socket.c:1851 [inline]
__se_sys_connect net/socket.c:1848 [inline]
__x64_sys_connect+0x73/0xb0 net/socket.c:1848
do_syscall_64+0xfd/0x680 arch/x86/entry/common.c:301
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x459279
Code: fd b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
ff 0f 83 cb b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f09776b4c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000459279
RDX: 0000000000000012 RSI: 0000000020000280 RDI: 0000000000000004
RBP: 000000000075bfc0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f09776b56d4
R13: 00000000004bf854 R14: 00000000004d0e08 R15: 00000000ffffffff
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
Arnd Bergmann
Jun 11, 2019, 8:39:18 AM6/11/19
to syzbot, all...@lohutok.net, Andrew Hendry, David Miller, Eric Dumazet, Linux Kernel Mailing List, linu...@vger.kernel.org, m...@dev.tdt.de, Networking, Neil Horman, syzkall...@googlegroups.com, Thomas Gleixner
On Tue, Jun 11, 2019 at 9:18 AM syzbot
<syzbot+777a2a...@syzkaller.appspotmail.com> wrote:
>
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit: f4cfcfbd net: dsa: sja1105: Fix link speed not working at ..
> git tree: net
> console output: https://syzkaller.appspot.com/x/log.txt?x=16815cd2a00000
> kernel config: https://syzkaller.appspot.com/x/.config?x=4f721a391cd46ea
> dashboard link: https://syzkaller.appspot.com/bug?extid=777a2aab6ffd397407b5
> compiler: gcc (GCC) 9.0.0 20181231 (experimental)
>
> Unfortunately, I don't have any reproducer for this crash yet.
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+777a2a...@syzkaller.appspotmail.com
Not sure why I was on Cc on this (I know nothing about x25), but I had
<syzbot+777a2a...@syzkaller.appspotmail.com> wrote:
>
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit: f4cfcfbd net: dsa: sja1105: Fix link speed not working at ..
> git tree: net
> console output: https://syzkaller.appspot.com/x/log.txt?x=16815cd2a00000
> kernel config: https://syzkaller.appspot.com/x/.config?x=4f721a391cd46ea
> dashboard link: https://syzkaller.appspot.com/bug?extid=777a2aab6ffd397407b5
> compiler: gcc (GCC) 9.0.0 20181231 (experimental)
>
> Unfortunately, I don't have any reproducer for this crash yet.
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+777a2a...@syzkaller.appspotmail.com
a brief look and found that this is in the error path of x25_connect,
after "goto out_put_neigh", with x25->neighbour==NULL.
This would indicate that either 'x25' is being freed between the
"if (!x25->neighbour)" check in that function and the
x25_neigh_put(x25->neighbour), or that there are two concurrent
calls to x25_connect, with both failing, so one sets
x25->neighbour=NULL before the other one checks it.
Arnd
Dmitry Vyukov
Jun 11, 2019, 9:28:39 AM6/11/19
to Arnd Bergmann, syzbot, all...@lohutok.net, Andrew Hendry, David Miller, Eric Dumazet, Linux Kernel Mailing List, linu...@vger.kernel.org, m...@dev.tdt.de, Networking, Neil Horman, syzkaller-bugs, Thomas Gleixner
On Tue, Jun 11, 2019 at 2:39 PM Arnd Bergmann <ar...@arndb.de> wrote:
>
> On Tue, Jun 11, 2019 at 9:18 AM syzbot
> <syzbot+777a2a...@syzkaller.appspotmail.com> wrote:
> >
> > Hello,
> >
> > syzbot found the following crash on:
> >
> > HEAD commit: f4cfcfbd net: dsa: sja1105: Fix link speed not working at ..
> > git tree: net
> > console output: https://syzkaller.appspot.com/x/log.txt?x=16815cd2a00000
> > kernel config: https://syzkaller.appspot.com/x/.config?x=4f721a391cd46ea
> > dashboard link: https://syzkaller.appspot.com/bug?extid=777a2aab6ffd397407b5
> > compiler: gcc (GCC) 9.0.0 20181231 (experimental)
> >
> > Unfortunately, I don't have any reproducer for this crash yet.
> >
> > IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > Reported-by: syzbot+777a2a...@syzkaller.appspotmail.com
>
> Not sure why I was on Cc on this (I know nothing about x25),
syzbot uses get_maintainer.pl to find relevant people. This was
>
> On Tue, Jun 11, 2019 at 9:18 AM syzbot
> <syzbot+777a2a...@syzkaller.appspotmail.com> wrote:
> >
> > Hello,
> >
> > syzbot found the following crash on:
> >
> > HEAD commit: f4cfcfbd net: dsa: sja1105: Fix link speed not working at ..
> > git tree: net
> > console output: https://syzkaller.appspot.com/x/log.txt?x=16815cd2a00000
> > kernel config: https://syzkaller.appspot.com/x/.config?x=4f721a391cd46ea
> > dashboard link: https://syzkaller.appspot.com/bug?extid=777a2aab6ffd397407b5
> > compiler: gcc (GCC) 9.0.0 20181231 (experimental)
> >
> > Unfortunately, I don't have any reproducer for this crash yet.
> >
> > IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > Reported-by: syzbot+777a2a...@syzkaller.appspotmail.com
>
> Not sure why I was on Cc on this (I know nothing about x25),
attributed to net/x25/af_x25.c file, which looks correct. And then
get_maintainer.pl points to you for this file:
$ scripts/get_maintainer.pl -f net/x25/af_x25.c
Andrew Hendry <andrew...@gmail.com> (odd fixer:X.25 NETWORK LAYER)
"David S. Miller" <da...@davemloft.net> (maintainer:NETWORKING
[GENERAL],commit_signer:7/9=78%)
Eric Dumazet <edum...@google.com>
(commit_signer:4/9=44%,authored:4/9=44%,added_lines:16/30=53%,removed_lines:10/50=20%)
Martin Schiller <m...@dev.tdt.de>
(commit_signer:2/9=22%,authored:2/9=22%,added_lines:11/30=37%,removed_lines:7/50=14%)
Marc Kleine-Budde <m...@pengutronix.de> (commit_signer:1/9=11%)
Willem de Bruijn <wil...@google.com> (commit_signer:1/9=11%)
Arnd Bergmann <ar...@arndb.de> (authored:1/9=11%,removed_lines:26/50=52%)
Thomas Gleixner <tg...@linutronix.de> (authored:1/9=11%,removed_lines:6/50=12%)
linu...@vger.kernel.org (open list:X.25 NETWORK LAYER)
net...@vger.kernel.org (open list:NETWORKING [GENERAL])
linux-...@vger.kernel.org (open list)
> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bug...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/CAK8P3a1akOXWgAWXM0g_FYSdWUynBDRR2dAwZt8Xg5RiXhMZag%40mail.gmail.com.
> For more options, visit https://groups.google.com/d/optout.
syzbot
Feb 11, 2020, 2:17:09 PM2/11/20
to syzkall...@googlegroups.com
Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.
Crashes did not happen for a while, no reproducer and no activity.
Reply all
Reply to author
Forward
0 new messages