KASAN: use-after-free Read in rxrpc_send_keepalive

[syzbot]

Hello,

syzbot found the following crash on:

HEAD commit: b678c568 Merge tag 'nfs-for-5.3-2' of git://git.linux-nfs...
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=10ea5e36600000
kernel config: https://syzkaller.appspot.com/x/.config?x=a4c9e9f08e9e8960
dashboard link: https://syzkaller.appspot.com/bug?extid=d850c266e3df14da1d31
compiler: gcc (GCC) 9.0.0 20181231 (experimental)

Unfortunately, I don't have any reproducer for this crash yet.

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+d850c2...@syzkaller.appspotmail.com

==================================================================
BUG: KASAN: use-after-free in rxrpc_send_keepalive+0x8a2/0x940
net/rxrpc/output.c:635
Read of size 8 at addr ffff888064219698 by task kworker/0:3/11077

CPU: 0 PID: 11077 Comm: kworker/0:3 Not tainted 5.3.0-rc3+ #96
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Workqueue: krxrpcd rxrpc_peer_keepalive_worker
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x172/0x1f0 lib/dump_stack.c:113
print_address_description.cold+0xd4/0x306 mm/kasan/report.c:351
__kasan_report.cold+0x1b/0x36 mm/kasan/report.c:482
kasan_report+0x12/0x17 mm/kasan/common.c:612
__asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:132
rxrpc_send_keepalive+0x8a2/0x940 net/rxrpc/output.c:635
rxrpc_peer_keepalive_dispatch net/rxrpc/peer_event.c:369 [inline]
rxrpc_peer_keepalive_worker+0x7be/0xd02 net/rxrpc/peer_event.c:430
process_one_work+0x9af/0x1740 kernel/workqueue.c:2269
worker_thread+0x98/0xe40 kernel/workqueue.c:2415
kthread+0x361/0x430 kernel/kthread.c:255
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352

Allocated by task 20465:
save_stack+0x23/0x90 mm/kasan/common.c:69
set_track mm/kasan/common.c:77 [inline]
__kasan_kmalloc mm/kasan/common.c:487 [inline]
__kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:460
kasan_kmalloc+0x9/0x10 mm/kasan/common.c:501
kmem_cache_alloc_trace+0x158/0x790 mm/slab.c:3550
kmalloc include/linux/slab.h:552 [inline]
kzalloc include/linux/slab.h:748 [inline]
rxrpc_alloc_local net/rxrpc/local_object.c:79 [inline]
rxrpc_lookup_local+0x64c/0x1b70 net/rxrpc/local_object.c:279
rxrpc_sendmsg+0x379/0x5f0 net/rxrpc/af_rxrpc.c:566
sock_sendmsg_nosec net/socket.c:637 [inline]
sock_sendmsg+0xd7/0x130 net/socket.c:657
___sys_sendmsg+0x3e2/0x920 net/socket.c:2311
__sys_sendmmsg+0x1bf/0x4d0 net/socket.c:2413
__do_sys_sendmmsg net/socket.c:2442 [inline]
__se_sys_sendmmsg net/socket.c:2439 [inline]
__x64_sys_sendmmsg+0x9d/0x100 net/socket.c:2439
do_syscall_64+0xfd/0x6a0 arch/x86/entry/common.c:296
entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 0:
save_stack+0x23/0x90 mm/kasan/common.c:69
set_track mm/kasan/common.c:77 [inline]
__kasan_slab_free+0x102/0x150 mm/kasan/common.c:449
kasan_slab_free+0xe/0x10 mm/kasan/common.c:457
__cache_free mm/slab.c:3425 [inline]
kfree+0x10a/0x2c0 mm/slab.c:3756
rxrpc_local_rcu+0x62/0x80 net/rxrpc/local_object.c:471
__rcu_reclaim kernel/rcu/rcu.h:222 [inline]
rcu_do_batch kernel/rcu/tree.c:2114 [inline]
rcu_core+0x67f/0x1580 kernel/rcu/tree.c:2314
rcu_core_si+0x9/0x10 kernel/rcu/tree.c:2323
__do_softirq+0x262/0x98c kernel/softirq.c:292

The buggy address belongs to the object at ffff888064219680
which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 24 bytes inside of
1024-byte region [ffff888064219680, ffff888064219a80)
The buggy address belongs to the page:
page:ffffea0001908600 refcount:1 mapcount:0 mapping:ffff8880aa400c40
index:0xffff888064218480 compound_mapcount: 0
flags: 0x1fffc0000010200(slab|head)
raw: 01fffc0000010200 ffffea00025f5a08 ffffea00028fca08 ffff8880aa400c40
raw: ffff888064218480 ffff888064218000 0000000100000001 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
ffff888064219580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888064219600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> ffff888064219680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888064219700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888064219780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================


---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

[syzbot]

syzbot has found a reproducer for the following crash on:

HEAD commit: ed2393ca Add linux-next specific files for 20190827
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=156adb1e600000
kernel config: https://syzkaller.appspot.com/x/.config?x=2ef5940a07ed45f4

dashboard link: https://syzkaller.appspot.com/bug?extid=d850c266e3df14da1d31
compiler: gcc (GCC) 9.0.0 20181231 (experimental)

syz repro: https://syzkaller.appspot.com/x/repro.syz?x=167ab582600000

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+d850c2...@syzkaller.appspotmail.com

IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready

==================================================================
BUG: KASAN: use-after-free in rxrpc_send_keepalive+0x8a2/0x940

net/rxrpc/output.c:634
Read of size 8 at addr ffff888086b01218 by task kworker/0:1/12

CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.3.0-rc6-next-20190827 #74

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Workqueue: krxrpcd rxrpc_peer_keepalive_worker
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x172/0x1f0 lib/dump_stack.c:113

print_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:374
__kasan_report.cold+0x1b/0x41 mm/kasan/report.c:506
kasan_report+0x12/0x20 mm/kasan/common.c:634
__asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:132
rxrpc_send_keepalive+0x8a2/0x940 net/rxrpc/output.c:634

rxrpc_peer_keepalive_dispatch net/rxrpc/peer_event.c:369 [inline]
rxrpc_peer_keepalive_worker+0x7be/0xd02 net/rxrpc/peer_event.c:430
process_one_work+0x9af/0x1740 kernel/workqueue.c:2269
worker_thread+0x98/0xe40 kernel/workqueue.c:2415
kthread+0x361/0x430 kernel/kthread.c:255
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352

Allocated by task 8741:

save_stack+0x23/0x90 mm/kasan/common.c:69
set_track mm/kasan/common.c:77 [inline]

__kasan_kmalloc mm/kasan/common.c:510 [inline]
__kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:483
kasan_kmalloc+0x9/0x10 mm/kasan/common.c:524
__do_kmalloc mm/slab.c:3655 [inline]
__kmalloc+0x163/0x770 mm/slab.c:3664
kmalloc_array include/linux/slab.h:614 [inline]
kcalloc include/linux/slab.h:625 [inline]
alloc_pipe_info+0x199/0x420 fs/pipe.c:676
get_pipe_inode fs/pipe.c:738 [inline]
create_pipe_files+0x8e/0x730 fs/pipe.c:770
__do_pipe_flags+0x48/0x250 fs/pipe.c:807
do_pipe2+0x84/0x160 fs/pipe.c:855
__do_sys_pipe2 fs/pipe.c:873 [inline]
__se_sys_pipe2 fs/pipe.c:871 [inline]
__x64_sys_pipe2+0x54/0x80 fs/pipe.c:871
do_syscall_64+0xfa/0x760 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 8741:

save_stack+0x23/0x90 mm/kasan/common.c:69
set_track mm/kasan/common.c:77 [inline]

kasan_set_free_info mm/kasan/common.c:332 [inline]
__kasan_slab_free+0x102/0x150 mm/kasan/common.c:471
kasan_slab_free+0xe/0x10 mm/kasan/common.c:480

__cache_free mm/slab.c:3425 [inline]
kfree+0x10a/0x2c0 mm/slab.c:3756

free_pipe_info+0x243/0x300 fs/pipe.c:709
put_pipe_info+0xd0/0xf0 fs/pipe.c:582
pipe_release+0x1e6/0x280 fs/pipe.c:603
__fput+0x2ff/0x890 fs/file_table.c:280
____fput+0x16/0x20 fs/file_table.c:313
task_work_run+0x145/0x1c0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:188 [inline]
exit_to_usermode_loop+0x316/0x380 arch/x86/entry/common.c:163
prepare_exit_to_usermode arch/x86/entry/common.c:194 [inline]
syscall_return_slowpath arch/x86/entry/common.c:274 [inline]
do_syscall_64+0x65f/0x760 arch/x86/entry/common.c:300
entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at ffff888086b01200

which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 24 bytes inside of

1024-byte region [ffff888086b01200, ffff888086b01600)

The buggy address belongs to the page:

page:ffffea00021ac000 refcount:1 mapcount:0 mapping:ffff8880aa400c40
index:0xffff888086b00480 compound_mapcount: 0
flags: 0x1fffc0000010200(slab|head)
raw: 01fffc0000010200 ffffea00027b5588 ffffea00028e3808 ffff8880aa400c40
raw: ffff888086b00480 ffff888086b00000 0000000100000003 0000000000000000

page dumped because: kasan: bad access detected

Memory state around the buggy address:

ffff888086b01100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888086b01180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> ffff888086b01200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888086b01280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888086b01300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

[syzbot]

syzbot has found a reproducer for the following crash on:

HEAD commit: 3120b9a6 Merge tag 'ipc-fixes' of git://git.kernel.org/pub..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=107d1ca5600000
kernel config: https://syzkaller.appspot.com/x/.config?x=ed2b148cd67382ec
dashboard link: https://syzkaller.appspot.com/bug?extid=d850c266e3df14da1d31
compiler: clang version 9.0.0 (/home/glider/llvm/clang
80fee25776c2fb61e74c1ecb1a523375c2500b69)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17347095600000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=143bcca5600000

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+d850c2...@syzkaller.appspotmail.com

==================================================================

BUG: KASAN: use-after-free in rxrpc_send_keepalive+0xe2/0x3c0
net/rxrpc/output.c:634
Read of size 8 at addr ffff8880a859a058 by task kworker/0:2/3016

CPU: 0 PID: 3016 Comm: kworker/0:2 Not tainted 5.3.0-rc8+ #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Workqueue: krxrpcd rxrpc_peer_keepalive_worker
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]

dump_stack+0x1d8/0x2f8 lib/dump_stack.c:113
print_address_description+0x75/0x5b0 mm/kasan/report.c:351
__kasan_report+0x14b/0x1c0 mm/kasan/report.c:482
kasan_report+0x26/0x50 mm/kasan/common.c:618
__asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:132
rxrpc_send_keepalive+0xe2/0x3c0 net/rxrpc/output.c:634
rxrpc_peer_keepalive_dispatch net/rxrpc/peer_event.c:369 [inline]
rxrpc_peer_keepalive_worker+0x76e/0xb40 net/rxrpc/peer_event.c:430
process_one_work+0x7ef/0x10e0 kernel/workqueue.c:2269
worker_thread+0xc01/0x1630 kernel/workqueue.c:2415
kthread+0x332/0x350 kernel/kthread.c:255
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352

Allocated by task 9378:
save_stack mm/kasan/common.c:69 [inline]
set_track mm/kasan/common.c:77 [inline]
__kasan_kmalloc+0x11c/0x1b0 mm/kasan/common.c:493
kasan_kmalloc+0x9/0x10 mm/kasan/common.c:507
kmem_cache_alloc_trace+0x221/0x2f0 mm/slab.c:3550

kmalloc include/linux/slab.h:552 [inline]
kzalloc include/linux/slab.h:748 [inline]

rxrpc_alloc_connection+0x79/0x490 net/rxrpc/conn_object.c:41
rxrpc_alloc_client_connection net/rxrpc/conn_client.c:176 [inline]
rxrpc_get_client_conn net/rxrpc/conn_client.c:339 [inline]
rxrpc_connect_call+0xb30/0x2c40 net/rxrpc/conn_client.c:697
rxrpc_new_client_call+0x6d5/0xb60 net/rxrpc/call_object.c:289
rxrpc_new_client_call_for_sendmsg net/rxrpc/sendmsg.c:595 [inline]
rxrpc_do_sendmsg+0xf2b/0x19b0 net/rxrpc/sendmsg.c:652
rxrpc_sendmsg+0x5eb/0x8b0 net/rxrpc/af_rxrpc.c:585
sock_sendmsg_nosec net/socket.c:637 [inline]
sock_sendmsg net/socket.c:657 [inline]
___sys_sendmsg+0x60d/0x910 net/socket.c:2311
__sys_sendmmsg+0x239/0x470 net/socket.c:2413

__do_sys_sendmmsg net/socket.c:2442 [inline]
__se_sys_sendmmsg net/socket.c:2439 [inline]

__x64_sys_sendmmsg+0xa0/0xb0 net/socket.c:2439
do_syscall_64+0xfe/0x140 arch/x86/entry/common.c:296
entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 16:
save_stack mm/kasan/common.c:69 [inline]
set_track mm/kasan/common.c:77 [inline]
__kasan_slab_free+0x12a/0x1e0 mm/kasan/common.c:455
kasan_slab_free+0xe/0x10 mm/kasan/common.c:463
__cache_free mm/slab.c:3425 [inline]
kfree+0x115/0x200 mm/slab.c:3756
rxrpc_destroy_connection+0x1ec/0x240 net/rxrpc/conn_object.c:372

__rcu_reclaim kernel/rcu/rcu.h:222 [inline]
rcu_do_batch kernel/rcu/tree.c:2114 [inline]

rcu_core+0x892/0xf10 kernel/rcu/tree.c:2314
rcu_core_si+0x9/0x10 kernel/rcu/tree.c:2323
__do_softirq+0x333/0x7c4 arch/x86/include/asm/paravirt.h:778

The buggy address belongs to the object at ffff8880a859a040

which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 24 bytes inside of

1024-byte region [ffff8880a859a040, ffff8880a859a440)

The buggy address belongs to the page:

page:ffffea0002a16680 refcount:1 mapcount:0 mapping:ffff8880aa400c40
index:0x0 compound_mapcount: 0
flags: 0x1fffc0000010200(slab|head)
raw: 01fffc0000010200 ffffea00024cc688 ffffea0002684d88 ffff8880aa400c40
raw: 0000000000000000 ffff8880a859a040 0000000100000007 0000000000000000

page dumped because: kasan: bad access detected

Memory state around the buggy address:

ffff8880a8599f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8880a8599f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> ffff8880a859a000: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
^
ffff8880a859a080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880a859a100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

[Hillf Danton]

> syzbot has found a reproducer for the following crash on Tue, 10 Sep 2019 16:35:06 -0700

>
> HEAD commit: 3120b9a6 Merge tag 'ipc-fixes' of git://git.kernel.org/pub..

> git tree: upstream

> console output: https://syzkaller.appspot.com/x/log.txt?x=107d1ca5600000
> kernel config: https://syzkaller.appspot.com/x/.config?x=ed2b148cd67382ec

> dashboard link: https://syzkaller.appspot.com/bug?extid=d850c266e3df14da1d31

> compiler: clang version 9.0.0 (/home/glider/llvm/clang
> 80fee25776c2fb61e74c1ecb1a523375c2500b69)
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17347095600000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=143bcca5600000
>

> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+d850c2...@syzkaller.appspotmail.com
>
> ==================================================================

> BUG: KASAN: use-after-free in rxrpc_send_keepalive+0xe2/0x3c0
> net/rxrpc/output.c:634
> Read of size 8 at addr ffff8880a859a058 by task kworker/0:2/3016
>
> CPU: 0 PID: 3016 Comm: kworker/0:2 Not tainted 5.3.0-rc8+ #0

> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 01/01/2011
> Workqueue: krxrpcd rxrpc_peer_keepalive_worker
> Call Trace:
> __dump_stack lib/dump_stack.c:77 [inline]

> dump_stack+0x1d8/0x2f8 lib/dump_stack.c:113
> print_address_description+0x75/0x5b0 mm/kasan/report.c:351
> __kasan_report+0x14b/0x1c0 mm/kasan/report.c:482
> kasan_report+0x26/0x50 mm/kasan/common.c:618
> __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:132
> rxrpc_send_keepalive+0xe2/0x3c0 net/rxrpc/output.c:634
> rxrpc_peer_keepalive_dispatch net/rxrpc/peer_event.c:369 [inline]
> rxrpc_peer_keepalive_worker+0x76e/0xb40 net/rxrpc/peer_event.c:430
> process_one_work+0x7ef/0x10e0 kernel/workqueue.c:2269
> worker_thread+0xc01/0x1630 kernel/workqueue.c:2415

> kthread+0x332/0x350 kernel/kthread.c:255
> ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
>

> Allocated by task 9378:
> save_stack mm/kasan/common.c:69 [inline]
> set_track mm/kasan/common.c:77 [inline]
> __kasan_kmalloc+0x11c/0x1b0 mm/kasan/common.c:493
> kasan_kmalloc+0x9/0x10 mm/kasan/common.c:507

> kmem_cache_alloc_trace+0x221/0x2f0 mm/slab.c:3550

> kmalloc include/linux/slab.h:552 [inline]
> kzalloc include/linux/slab.h:748 [inline]

> rxrpc_alloc_connection+0x79/0x490 net/rxrpc/conn_object.c:41
> rxrpc_alloc_client_connection net/rxrpc/conn_client.c:176 [inline]
> rxrpc_get_client_conn net/rxrpc/conn_client.c:339 [inline]
> rxrpc_connect_call+0xb30/0x2c40 net/rxrpc/conn_client.c:697
> rxrpc_new_client_call+0x6d5/0xb60 net/rxrpc/call_object.c:289
> rxrpc_new_client_call_for_sendmsg net/rxrpc/sendmsg.c:595 [inline]
> rxrpc_do_sendmsg+0xf2b/0x19b0 net/rxrpc/sendmsg.c:652
> rxrpc_sendmsg+0x5eb/0x8b0 net/rxrpc/af_rxrpc.c:585
> sock_sendmsg_nosec net/socket.c:637 [inline]
> sock_sendmsg net/socket.c:657 [inline]
> ___sys_sendmsg+0x60d/0x910 net/socket.c:2311

> __sys_sendmmsg+0x239/0x470 net/socket.c:2413

> __do_sys_sendmmsg net/socket.c:2442 [inline]
> __se_sys_sendmmsg net/socket.c:2439 [inline]

> __x64_sys_sendmmsg+0xa0/0xb0 net/socket.c:2439
> do_syscall_64+0xfe/0x140 arch/x86/entry/common.c:296
> entry_SYSCALL_64_after_hwframe+0x49/0xbe
>

> Freed by task 16:
> save_stack mm/kasan/common.c:69 [inline]
> set_track mm/kasan/common.c:77 [inline]
> __kasan_slab_free+0x12a/0x1e0 mm/kasan/common.c:455
> kasan_slab_free+0xe/0x10 mm/kasan/common.c:463
> __cache_free mm/slab.c:3425 [inline]
> kfree+0x115/0x200 mm/slab.c:3756
> rxrpc_destroy_connection+0x1ec/0x240 net/rxrpc/conn_object.c:372

> __rcu_reclaim kernel/rcu/rcu.h:222 [inline]
> rcu_do_batch kernel/rcu/tree.c:2114 [inline]

> rcu_core+0x892/0xf10 kernel/rcu/tree.c:2314
> rcu_core_si+0x9/0x10 kernel/rcu/tree.c:2323
> __do_softirq+0x333/0x7c4 arch/x86/include/asm/paravirt.h:778
>
> The buggy address belongs to the object at ffff8880a859a040

> which belongs to the cache kmalloc-1k of size 1024
> The buggy address is located 24 bytes inside of

> 1024-byte region [ffff8880a859a040, ffff8880a859a440)

> The buggy address belongs to the page:

> page:ffffea0002a16680 refcount:1 mapcount:0 mapping:ffff8880aa400c40
> index:0x0 compound_mapcount: 0
> flags: 0x1fffc0000010200(slab|head)

> raw: 01fffc0000010200 ffffea00024cc688 ffffea0002684d88 ffff8880aa400c40

> raw: 0000000000000000 ffff8880a859a040 0000000100000007 0000000000000000

> page dumped because: kasan: bad access detected
>
> Memory state around the buggy address:

> ffff8880a8599f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> ffff8880a8599f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> > ffff8880a859a000: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
> ^
> ffff8880a859a080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff8880a859a100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ==================================================================

Fix be6e6707f6ee

--- a/net/rxrpc/peer_object.c
+++ b/net/rxrpc/peer_object.c
@@ -287,6 +287,7 @@ static struct rxrpc_peer *rxrpc_create_p

peer = rxrpc_alloc_peer(local, gfp);
if (peer) {
+ rxrpc_get_local(local);
memcpy(&peer->srx, srx, sizeof(*srx));
rxrpc_init_peer(rx, peer, hash_key);
}
@@ -361,9 +362,10 @@ struct rxrpc_peer *rxrpc_lookup_peer(str

spin_unlock_bh(&rxnet->peer_hash_lock);

- if (peer)
+ if (peer) {
+ rxrpc_put_local(candidate->local);
kfree(candidate);
- else
+ } else
peer = candidate;
}

@@ -417,6 +419,7 @@ static void __rxrpc_put_peer(struct rxrp
list_del_init(&peer->keepalive_link);
spin_unlock_bh(&rxnet->peer_hash_lock);

+ rxrpc_put_local(peer->local);
kfree_rcu(peer, rcu);
}

[David Howells]

This is the fix, I think.

David
---
rxrpc: Fix call ref leak

When sendmsg() finds a call to continue on with, if the call is in an
inappropriate state, it doesn't release the ref it just got on that call
before returning an error.

This causes the following symptom to show up with kasan:

BUG: KASAN: use-after-free in rxrpc_send_keepalive+0x8a2/0x940

net/rxrpc/output.c:635
Read of size 8 at addr ffff888064219698 by task kworker/0:3/11077

where line 635 is:

whdr.epoch = htonl(peer->local->rxnet->epoch);

The local endpoint (which cannot be pinned by the call) has been released,
but not the peer (which is pinned by the call).

Fixes: 37411cad633f ("rxrpc: Fix potential NULL-pointer exception")
Reported-by: syzbot+d850c2...@syzkaller.appspotmail.com
Signed-off-by: David Howells <dhow...@redhat.com>
---
sendmsg.c | 1 +
1 file changed, 1 insertion(+)

diff --git a/net/rxrpc/sendmsg.c b/net/rxrpc/sendmsg.c
index 6cd55b1d79f9..79b5b23db4c1 100644
--- a/net/rxrpc/sendmsg.c
+++ b/net/rxrpc/sendmsg.c
@@ -661,6 +661,7 @@ int rxrpc_do_sendmsg(struct rxrpc_sock *rx, struct msghdr *msg, size_t len)
case RXRPC_CALL_SERVER_PREALLOC:
case RXRPC_CALL_SERVER_SECURING:
case RXRPC_CALL_SERVER_ACCEPTING:
+ rxrpc_put_call(call, rxrpc_call_put);
ret = -EBUSY;
goto error_release_sock;
default:

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer still triggered
crash:
KASAN: use-after-free Read in rxrpc_put_peer

==================================================================
BUG: KASAN: use-after-free in __rxrpc_put_peer net/rxrpc/peer_object.c:411
[inline]
BUG: KASAN: use-after-free in rxrpc_put_peer+0xb5/0x2c0
net/rxrpc/peer_object.c:435
Read of size 8 at addr ffff8880a4106958 by task ksoftirqd/0/9

CPU: 0 PID: 9 Comm: ksoftirqd/0 Not tainted 5.3.0+ #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011

Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1d8/0x2f8 lib/dump_stack.c:113

print_address_description+0x75/0x5c0 mm/kasan/report.c:374
__kasan_report+0x14b/0x1c0 mm/kasan/report.c:506
kasan_report+0x26/0x50 mm/kasan/common.c:634
__asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:132
__rxrpc_put_peer net/rxrpc/peer_object.c:411 [inline]
rxrpc_put_peer+0xb5/0x2c0 net/rxrpc/peer_object.c:435
rxrpc_rcu_destroy_call+0x56/0x100 net/rxrpc/call_object.c:566
__rcu_reclaim kernel/rcu/rcu.h:222 [inline]
rcu_do_batch kernel/rcu/tree.c:2157 [inline]
rcu_core+0x843/0x1050 kernel/rcu/tree.c:2377
rcu_core_si+0x9/0x10 kernel/rcu/tree.c:2386
__do_softirq+0x333/0x7c4 arch/x86/include/asm/paravirt.h:766
run_ksoftirqd+0x64/0xf0 kernel/softirq.c:603
smpboot_thread_fn+0x5b3/0x9a0 kernel/smpboot.c:165

kthread+0x332/0x350 kernel/kthread.c:255
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352

Allocated by task 27170:

save_stack mm/kasan/common.c:69 [inline]
set_track mm/kasan/common.c:77 [inline]

__kasan_kmalloc+0x11c/0x1b0 mm/kasan/common.c:510
kasan_kmalloc+0x9/0x10 mm/kasan/common.c:524

kmem_cache_alloc_trace+0x221/0x2f0 mm/slab.c:3550
kmalloc include/linux/slab.h:552 [inline]

kzalloc include/linux/slab.h:686 [inline]
rxrpc_alloc_local net/rxrpc/local_object.c:79 [inline]
rxrpc_lookup_local+0x708/0x16f0 net/rxrpc/local_object.c:277
rxrpc_sendmsg+0x493/0x8b0 net/rxrpc/af_rxrpc.c:566

sock_sendmsg_nosec net/socket.c:637 [inline]
sock_sendmsg net/socket.c:657 [inline]
___sys_sendmsg+0x60d/0x910 net/socket.c:2311
__sys_sendmmsg+0x239/0x470 net/socket.c:2413
__do_sys_sendmmsg net/socket.c:2442 [inline]
__se_sys_sendmmsg net/socket.c:2439 [inline]
__x64_sys_sendmmsg+0xa0/0xb0 net/socket.c:2439

do_syscall_64+0xf7/0x1c0 arch/x86/entry/common.c:290

entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 16:
save_stack mm/kasan/common.c:69 [inline]
set_track mm/kasan/common.c:77 [inline]

kasan_set_free_info mm/kasan/common.c:332 [inline]
__kasan_slab_free+0x12a/0x1e0 mm/kasan/common.c:471
kasan_slab_free+0xe/0x10 mm/kasan/common.c:480

__cache_free mm/slab.c:3425 [inline]
kfree+0x115/0x200 mm/slab.c:3756

rxrpc_local_rcu+0x63/0x80 net/rxrpc/local_object.c:499
__rcu_reclaim kernel/rcu/rcu.h:222 [inline]
rcu_do_batch kernel/rcu/tree.c:2157 [inline]
rcu_core+0x843/0x1050 kernel/rcu/tree.c:2377
rcu_core_si+0x9/0x10 kernel/rcu/tree.c:2386
__do_softirq+0x333/0x7c4 arch/x86/include/asm/paravirt.h:766

The buggy address belongs to the object at ffff8880a4106940

which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 24 bytes inside of

1024-byte region [ffff8880a4106940, ffff8880a4106d40)

The buggy address belongs to the page:

page:ffffea0002904180 refcount:1 mapcount:0 mapping:ffff8880aa400c40
index:0xffff8880a4107b40 compound_mapcount: 0
flags: 0x1fffc0000010200(slab|head)
raw: 01fffc0000010200 ffffea00025b5d88 ffffea0001fde008 ffff8880aa400c40
raw: ffff8880a4107b40 ffff8880a4106040 0000000100000004 0000000000000000

page dumped because: kasan: bad access detected

Memory state around the buggy address:

ffff8880a4106800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8880a4106880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> ffff8880a4106900: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
^
ffff8880a4106980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880a4106a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================


Tested on:

commit: 908b2297 rxrpc: Fix call ref leak
git tree:
git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git
console output: https://syzkaller.appspot.com/x/log.txt?x=1287a4fb600000
kernel config: https://syzkaller.appspot.com/x/.config?x=6ee588e2e6694cf6