KASAN: use-after-free Read in cma_bind_port
16 views
Skip to first unread message
syzbot
Sep 7, 2018, 4:38:03āÆAM9/7/18
to dan...@mellanox.com, dled...@redhat.com, j...@ziepe.ca, le...@kernel.org, linux-...@vger.kernel.org, linux...@vger.kernel.org, pa...@mellanox.com, sw...@opengridcomputing.com, syzkall...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: b36fdc6853a3 Merge tag 'gpio-v4.19-2' of git://git.kernel...
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1660c266400000
kernel config: https://syzkaller.appspot.com/x/.config?x=6c9564cd177daf0c
dashboard link: https://syzkaller.appspot.com/bug?extid=da2591e115d57a9cbb8b
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+da2591...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in cma_bind_port+0x35d/0x3f0
drivers/infiniband/core/cma.c:3059
Read of size 2 at addr ffff8801b89fb320 by task syz-executor3/7584
CPU: 1 PID: 7584 Comm: syz-executor3 Not tainted 4.19.0-rc2+ #224
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1c9/0x2b4 lib/dump_stack.c:113
print_address_description+0x6c/0x20b mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report.cold.7+0x242/0x30d mm/kasan/report.c:412
__asan_report_load2_noabort+0x14/0x20 mm/kasan/report.c:431
cma_bind_port+0x35d/0x3f0 drivers/infiniband/core/cma.c:3059
cma_alloc_port+0x115/0x180 drivers/infiniband/core/cma.c:3095
cma_alloc_any_port drivers/infiniband/core/cma.c:3160 [inline]
cma_get_port drivers/infiniband/core/cma.c:3314 [inline]
rdma_bind_addr+0x1765/0x23d0 drivers/infiniband/core/cma.c:3434
cma_bind_addr drivers/infiniband/core/cma.c:2963 [inline]
rdma_resolve_addr+0x4fa/0x27a0 drivers/infiniband/core/cma.c:2974
ucma_resolve_ip+0x242/0x2a0 drivers/infiniband/core/ucma.c:711
ucma_write+0x336/0x420 drivers/infiniband/core/ucma.c:1680
__vfs_write+0x117/0x9d0 fs/read_write.c:485
vfs_write+0x1fc/0x560 fs/read_write.c:549
ksys_write+0x101/0x260 fs/read_write.c:598
__do_sys_write fs/read_write.c:610 [inline]
__se_sys_write fs/read_write.c:607 [inline]
__x64_sys_write+0x73/0xb0 fs/read_write.c:607
do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x457099
Code: fd b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
ff 0f 83 cb b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f47da18ac78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007f47da18b6d4 RCX: 0000000000457099
RDX: 0000000000000048 RSI: 0000000020000240 RDI: 0000000000000005
RBP: 00000000009300a0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 00000000004d8100 R14: 00000000004c1c28 R15: 0000000000000000
Allocated by task 7601:
save_stack+0x43/0xd0 mm/kasan/kasan.c:448
set_track mm/kasan/kasan.c:460 [inline]
kasan_kmalloc+0xc4/0xe0 mm/kasan/kasan.c:553
kmem_cache_alloc_trace+0x152/0x730 mm/slab.c:3620
kmalloc include/linux/slab.h:513 [inline]
kzalloc include/linux/slab.h:707 [inline]
__rdma_create_id+0xdf/0x7a0 drivers/infiniband/core/cma.c:782
ucma_create_id+0x399/0x9d0 drivers/infiniband/core/ucma.c:502
ucma_write+0x336/0x420 drivers/infiniband/core/ucma.c:1680
__vfs_write+0x117/0x9d0 fs/read_write.c:485
vfs_write+0x1fc/0x560 fs/read_write.c:549
ksys_write+0x101/0x260 fs/read_write.c:598
__do_sys_write fs/read_write.c:610 [inline]
__se_sys_write fs/read_write.c:607 [inline]
__x64_sys_write+0x73/0xb0 fs/read_write.c:607
do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 7583:
save_stack+0x43/0xd0 mm/kasan/kasan.c:448
set_track mm/kasan/kasan.c:460 [inline]
__kasan_slab_free+0x11a/0x170 mm/kasan/kasan.c:521
kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
__cache_free mm/slab.c:3498 [inline]
kfree+0xd9/0x210 mm/slab.c:3813
rdma_destroy_id+0x848/0xce0 drivers/infiniband/core/cma.c:1737
ucma_close+0x100/0x300 drivers/infiniband/core/ucma.c:1759
__fput+0x38a/0xa40 fs/file_table.c:278
____fput+0x15/0x20 fs/file_table.c:309
task_work_run+0x1e8/0x2a0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:193 [inline]
exit_to_usermode_loop+0x318/0x380 arch/x86/entry/common.c:166
prepare_exit_to_usermode arch/x86/entry/common.c:197 [inline]
syscall_return_slowpath arch/x86/entry/common.c:268 [inline]
do_syscall_64+0x6be/0x820 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
The buggy address belongs to the object at ffff8801b89fb300
which belongs to the cache kmalloc-2048 of size 2048
The buggy address is located 32 bytes inside of
2048-byte region [ffff8801b89fb300, ffff8801b89fbb00)
The buggy address belongs to the page:
page:ffffea0006e27e80 count:1 mapcount:0 mapping:ffff8801dac00c40 index:0x0
compound_mapcount: 0
flags: 0x2fffc0000008100(slab|head)
raw: 02fffc0000008100 ffffea0006ec8108 ffffea0006e90288 ffff8801dac00c40
raw: 0000000000000000 ffff8801b89fa200 0000000100000003 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8801b89fb200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8801b89fb280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> ffff8801b89fb300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8801b89fb380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8801b89fb400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
syzbot.
syzbot found the following crash on:
HEAD commit: b36fdc6853a3 Merge tag 'gpio-v4.19-2' of git://git.kernel...
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1660c266400000
kernel config: https://syzkaller.appspot.com/x/.config?x=6c9564cd177daf0c
dashboard link: https://syzkaller.appspot.com/bug?extid=da2591e115d57a9cbb8b
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+da2591...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in cma_bind_port+0x35d/0x3f0
drivers/infiniband/core/cma.c:3059
Read of size 2 at addr ffff8801b89fb320 by task syz-executor3/7584
CPU: 1 PID: 7584 Comm: syz-executor3 Not tainted 4.19.0-rc2+ #224
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1c9/0x2b4 lib/dump_stack.c:113
print_address_description+0x6c/0x20b mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report.cold.7+0x242/0x30d mm/kasan/report.c:412
__asan_report_load2_noabort+0x14/0x20 mm/kasan/report.c:431
cma_bind_port+0x35d/0x3f0 drivers/infiniband/core/cma.c:3059
cma_alloc_port+0x115/0x180 drivers/infiniband/core/cma.c:3095
cma_alloc_any_port drivers/infiniband/core/cma.c:3160 [inline]
cma_get_port drivers/infiniband/core/cma.c:3314 [inline]
rdma_bind_addr+0x1765/0x23d0 drivers/infiniband/core/cma.c:3434
cma_bind_addr drivers/infiniband/core/cma.c:2963 [inline]
rdma_resolve_addr+0x4fa/0x27a0 drivers/infiniband/core/cma.c:2974
ucma_resolve_ip+0x242/0x2a0 drivers/infiniband/core/ucma.c:711
ucma_write+0x336/0x420 drivers/infiniband/core/ucma.c:1680
__vfs_write+0x117/0x9d0 fs/read_write.c:485
vfs_write+0x1fc/0x560 fs/read_write.c:549
ksys_write+0x101/0x260 fs/read_write.c:598
__do_sys_write fs/read_write.c:610 [inline]
__se_sys_write fs/read_write.c:607 [inline]
__x64_sys_write+0x73/0xb0 fs/read_write.c:607
do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x457099
Code: fd b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
ff 0f 83 cb b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f47da18ac78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007f47da18b6d4 RCX: 0000000000457099
RDX: 0000000000000048 RSI: 0000000020000240 RDI: 0000000000000005
RBP: 00000000009300a0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 00000000004d8100 R14: 00000000004c1c28 R15: 0000000000000000
Allocated by task 7601:
save_stack+0x43/0xd0 mm/kasan/kasan.c:448
set_track mm/kasan/kasan.c:460 [inline]
kasan_kmalloc+0xc4/0xe0 mm/kasan/kasan.c:553
kmem_cache_alloc_trace+0x152/0x730 mm/slab.c:3620
kmalloc include/linux/slab.h:513 [inline]
kzalloc include/linux/slab.h:707 [inline]
__rdma_create_id+0xdf/0x7a0 drivers/infiniband/core/cma.c:782
ucma_create_id+0x399/0x9d0 drivers/infiniband/core/ucma.c:502
ucma_write+0x336/0x420 drivers/infiniband/core/ucma.c:1680
__vfs_write+0x117/0x9d0 fs/read_write.c:485
vfs_write+0x1fc/0x560 fs/read_write.c:549
ksys_write+0x101/0x260 fs/read_write.c:598
__do_sys_write fs/read_write.c:610 [inline]
__se_sys_write fs/read_write.c:607 [inline]
__x64_sys_write+0x73/0xb0 fs/read_write.c:607
do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 7583:
save_stack+0x43/0xd0 mm/kasan/kasan.c:448
set_track mm/kasan/kasan.c:460 [inline]
__kasan_slab_free+0x11a/0x170 mm/kasan/kasan.c:521
kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
__cache_free mm/slab.c:3498 [inline]
kfree+0xd9/0x210 mm/slab.c:3813
rdma_destroy_id+0x848/0xce0 drivers/infiniband/core/cma.c:1737
ucma_close+0x100/0x300 drivers/infiniband/core/ucma.c:1759
__fput+0x38a/0xa40 fs/file_table.c:278
____fput+0x15/0x20 fs/file_table.c:309
task_work_run+0x1e8/0x2a0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:193 [inline]
exit_to_usermode_loop+0x318/0x380 arch/x86/entry/common.c:166
prepare_exit_to_usermode arch/x86/entry/common.c:197 [inline]
syscall_return_slowpath arch/x86/entry/common.c:268 [inline]
do_syscall_64+0x6be/0x820 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
The buggy address belongs to the object at ffff8801b89fb300
which belongs to the cache kmalloc-2048 of size 2048
The buggy address is located 32 bytes inside of
2048-byte region [ffff8801b89fb300, ffff8801b89fbb00)
The buggy address belongs to the page:
page:ffffea0006e27e80 count:1 mapcount:0 mapping:ffff8801dac00c40 index:0x0
compound_mapcount: 0
flags: 0x2fffc0000008100(slab|head)
raw: 02fffc0000008100 ffffea0006ec8108 ffffea0006e90288 ffff8801dac00c40
raw: 0000000000000000 ffff8801b89fa200 0000000100000003 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8801b89fb200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8801b89fb280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> ffff8801b89fb300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8801b89fb380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8801b89fb400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
syzbot.
syzbot
Sep 11, 2018, 9:13:03āÆPM9/11/18
to dan...@mellanox.com, dled...@redhat.com, j...@ziepe.ca, le...@kernel.org, linux-...@vger.kernel.org, linux...@vger.kernel.org, pa...@mellanox.com, sw...@opengridcomputing.com, syzkall...@googlegroups.com
syzbot has found a reproducer for the following crash on:
HEAD commit: 11da3a7f84f1 Linux 4.19-rc3
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=11766c69400000
kernel config: https://syzkaller.appspot.com/x/.config?x=9917ff4b798e1a1e
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+da2591...@syzkaller.appspotmail.com
8021q: adding VLAN 0 to HW filter on device team0
8021q: adding VLAN 0 to HW filter on device team0
8021q: adding VLAN 0 to HW filter on device team0
hrtimer: interrupt took 34369 ns
==================================================================
BUG: KASAN: use-after-free in cma_bind_port+0x35d/0x420
drivers/infiniband/core/cma.c:3059
Read of size 2 at addr ffff8801b7b056a0 by task syz-executor3/7271
CPU: 1 PID: 7271 Comm: syz-executor3 Not tainted 4.19.0-rc3+ #231
print_address_description.cold.8+0x9/0x1ff mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report.cold.9+0x242/0x309 mm/kasan/report.c:412
__asan_report_load2_noabort+0x14/0x20 mm/kasan/report.c:431
cma_bind_port+0x35d/0x420 drivers/infiniband/core/cma.c:3059
RAX: ffffffffffffffda RBX: 00007f71074b16d4 RCX: 00000000004572d9
RDX: 0000000000000048 RSI: 0000000020000240 RDI: 0000000000000008
Allocated by task 7285:
kmem_cache_alloc_trace+0x152/0x750 mm/slab.c:3620
ucma_create_id+0x39b/0x990 drivers/infiniband/core/ucma.c:502
ucma_write+0x336/0x420 drivers/infiniband/core/ucma.c:1680
__vfs_write+0x119/0x9f0 fs/read_write.c:485
rdma_destroy_id+0x835/0xcc0 drivers/infiniband/core/cma.c:1737
ucma_close+0x100/0x300 drivers/infiniband/core/ucma.c:1759
__fput+0x385/0xa30 fs/file_table.c:278
index:0xffff8801b7b04580 compound_mapcount: 0
flags: 0x2fffc0000008100(slab|head)
raw: 02fffc0000008100 ffffea0006debf88 ffffea0006deb708 ffff8801da800c40
raw: ffff8801b7b04580 ffff8801b7b04580 0000000100000002 0000000000000000
ffff8801b7b05600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> ffff8801b7b05680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8801b7b05700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8801b7b05780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
HEAD commit: 11da3a7f84f1 Linux 4.19-rc3
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=11766c69400000
kernel config: https://syzkaller.appspot.com/x/.config?x=9917ff4b798e1a1e
dashboard link: https://syzkaller.appspot.com/bug?extid=da2591e115d57a9cbb8b
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1686969e400000
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+da2591...@syzkaller.appspotmail.com
8021q: adding VLAN 0 to HW filter on device team0
8021q: adding VLAN 0 to HW filter on device team0
hrtimer: interrupt took 34369 ns
==================================================================
BUG: KASAN: use-after-free in cma_bind_port+0x35d/0x420
drivers/infiniband/core/cma.c:3059
Read of size 2 at addr ffff8801b7b056a0 by task syz-executor3/7271
CPU: 1 PID: 7271 Comm: syz-executor3 Not tainted 4.19.0-rc3+ #231
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1c4/0x2b4 lib/dump_stack.c:113
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
print_address_description.cold.8+0x9/0x1ff mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report.cold.9+0x242/0x309 mm/kasan/report.c:412
__asan_report_load2_noabort+0x14/0x20 mm/kasan/report.c:431
cma_bind_port+0x35d/0x420 drivers/infiniband/core/cma.c:3059
cma_alloc_port+0x115/0x180 drivers/infiniband/core/cma.c:3095
cma_alloc_any_port drivers/infiniband/core/cma.c:3160 [inline]
cma_get_port drivers/infiniband/core/cma.c:3314 [inline]
rdma_bind_addr+0x1765/0x23d0 drivers/infiniband/core/cma.c:3434
cma_bind_addr drivers/infiniband/core/cma.c:2963 [inline]
rdma_resolve_addr+0x4e2/0x2770 drivers/infiniband/core/cma.c:2974
cma_alloc_any_port drivers/infiniband/core/cma.c:3160 [inline]
cma_get_port drivers/infiniband/core/cma.c:3314 [inline]
rdma_bind_addr+0x1765/0x23d0 drivers/infiniband/core/cma.c:3434
cma_bind_addr drivers/infiniband/core/cma.c:2963 [inline]
ucma_resolve_ip+0x242/0x2a0 drivers/infiniband/core/ucma.c:711
ucma_write+0x336/0x420 drivers/infiniband/core/ucma.c:1680
__vfs_write+0x119/0x9f0 fs/read_write.c:485
ucma_write+0x336/0x420 drivers/infiniband/core/ucma.c:1680
vfs_write+0x1fc/0x560 fs/read_write.c:549
ksys_write+0x101/0x260 fs/read_write.c:598
__do_sys_write fs/read_write.c:610 [inline]
__se_sys_write fs/read_write.c:607 [inline]
__x64_sys_write+0x73/0xb0 fs/read_write.c:607
do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x4572d9
ksys_write+0x101/0x260 fs/read_write.c:598
__do_sys_write fs/read_write.c:610 [inline]
__se_sys_write fs/read_write.c:607 [inline]
__x64_sys_write+0x73/0xb0 fs/read_write.c:607
do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Code: fd b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
ff 0f 83 cb b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f71074b0c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
ff 0f 83 cb b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RAX: ffffffffffffffda RBX: 00007f71074b16d4 RCX: 00000000004572d9
RDX: 0000000000000048 RSI: 0000000020000240 RDI: 0000000000000008
RBP: 00000000009300a0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 00000000004d83c0 R14: 00000000004c1e90 R15: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
Allocated by task 7285:
save_stack+0x43/0xd0 mm/kasan/kasan.c:448
set_track mm/kasan/kasan.c:460 [inline]
kasan_kmalloc+0xc7/0xe0 mm/kasan/kasan.c:553
set_track mm/kasan/kasan.c:460 [inline]
kmem_cache_alloc_trace+0x152/0x750 mm/slab.c:3620
kmalloc include/linux/slab.h:513 [inline]
kzalloc include/linux/slab.h:707 [inline]
__rdma_create_id+0xdf/0x790 drivers/infiniband/core/cma.c:782
kzalloc include/linux/slab.h:707 [inline]
ucma_create_id+0x39b/0x990 drivers/infiniband/core/ucma.c:502
ucma_write+0x336/0x420 drivers/infiniband/core/ucma.c:1680
__vfs_write+0x119/0x9f0 fs/read_write.c:485
vfs_write+0x1fc/0x560 fs/read_write.c:549
ksys_write+0x101/0x260 fs/read_write.c:598
__do_sys_write fs/read_write.c:610 [inline]
__se_sys_write fs/read_write.c:607 [inline]
__x64_sys_write+0x73/0xb0 fs/read_write.c:607
do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 7261:
ksys_write+0x101/0x260 fs/read_write.c:598
__do_sys_write fs/read_write.c:610 [inline]
__se_sys_write fs/read_write.c:607 [inline]
__x64_sys_write+0x73/0xb0 fs/read_write.c:607
do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
save_stack+0x43/0xd0 mm/kasan/kasan.c:448
set_track mm/kasan/kasan.c:460 [inline]
__kasan_slab_free+0x102/0x150 mm/kasan/kasan.c:521
set_track mm/kasan/kasan.c:460 [inline]
kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
__cache_free mm/slab.c:3498 [inline]
kfree+0xcf/0x230 mm/slab.c:3813
__cache_free mm/slab.c:3498 [inline]
rdma_destroy_id+0x835/0xcc0 drivers/infiniband/core/cma.c:1737
ucma_close+0x100/0x300 drivers/infiniband/core/ucma.c:1759
__fput+0x385/0xa30 fs/file_table.c:278
____fput+0x15/0x20 fs/file_table.c:309
task_work_run+0x1e8/0x2a0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:193 [inline]
exit_to_usermode_loop+0x318/0x380 arch/x86/entry/common.c:166
prepare_exit_to_usermode arch/x86/entry/common.c:197 [inline]
syscall_return_slowpath arch/x86/entry/common.c:268 [inline]
do_syscall_64+0x6be/0x820 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
The buggy address belongs to the object at ffff8801b7b05680
task_work_run+0x1e8/0x2a0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:193 [inline]
exit_to_usermode_loop+0x318/0x380 arch/x86/entry/common.c:166
prepare_exit_to_usermode arch/x86/entry/common.c:197 [inline]
syscall_return_slowpath arch/x86/entry/common.c:268 [inline]
do_syscall_64+0x6be/0x820 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
which belongs to the cache kmalloc-2048 of size 2048
The buggy address is located 32 bytes inside of
2048-byte region [ffff8801b7b05680, ffff8801b7b05e80)
The buggy address is located 32 bytes inside of
The buggy address belongs to the page:
page:ffffea0006dec100 count:1 mapcount:0 mapping:ffff8801da800c40
index:0xffff8801b7b04580 compound_mapcount: 0
flags: 0x2fffc0000008100(slab|head)
raw: 02fffc0000008100 ffffea0006debf88 ffffea0006deb708 ffff8801da800c40
raw: ffff8801b7b04580 ffff8801b7b04580 0000000100000002 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8801b7b05580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
Memory state around the buggy address:
ffff8801b7b05600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> ffff8801b7b05680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8801b7b05700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8801b7b05780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
syzbot
Sep 12, 2018, 6:23:03āÆPM9/12/18
to syzkall...@googlegroups.com, xiyou.w...@gmail.com
Hello,
syzbot has tested the proposed patch but the reproducer still triggered
crash:
INFO: task hung in ucma_close
8021q: adding VLAN 0 to HW filter on device team0
8021q: adding VLAN 0 to HW filter on device team0
8021q: adding VLAN 0 to HW filter on device team0
8021q: adding VLAN 0 to HW filter on device team0
hrtimer: interrupt took 42233 ns
INFO: task syz-executor1:6951 blocked for more than 140 seconds.
Not tainted 4.19.0-rc3+ #1
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor1 D23160 6951 5451 0x00000004
Call Trace:
context_switch kernel/sched/core.c:2825 [inline]
__schedule+0x86c/0x1ed0 kernel/sched/core.c:3473
schedule+0xfe/0x460 kernel/sched/core.c:3517
schedule_timeout+0x1cc/0x260 kernel/time/timer.c:1780
do_wait_for_common kernel/sched/completion.c:83 [inline]
__wait_for_common kernel/sched/completion.c:104 [inline]
wait_for_common kernel/sched/completion.c:115 [inline]
wait_for_completion+0x427/0x8a0 kernel/sched/completion.c:136
ucma_close+0xf5/0x310 drivers/infiniband/core/ucma.c:1764
Code: 24 90 00 00 00 48 8b 00 48 0f af c1 48 89 44 24 10 48 8b 44 24 50 48
89 04 24 48 8b 44 24 48 48 89 44 24 08 e8 20 61 04 00 48 <8b> 44 24 40 48
89 84 24 c8 00 00 00 48 8b ac 24 80 00 00 00 48 81
RSP: 002b:00007ffcfd9f8870 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000006 RCX: 0000000000410e91
RDX: 0000000000000000 RSI: 0000000000733c40 RDI: 0000000000000005
RBP: 0000000000000000 R08: ffffffffffffffff R09: ffffffffffffffff
R10: 00007ffcfd9f87a0 R11: 0000000000000293 R12: 0000000000412c30
R13: 0000000000412cc0 R14: 0000000000000000 R15: badc0ffeebadface
INFO: task syz-executor0:6959 blocked for more than 140 seconds.
Not tainted 4.19.0-rc3+ #1
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor0 D23160 6959 5446 0x00000004
Call Trace:
context_switch kernel/sched/core.c:2825 [inline]
__schedule+0x86c/0x1ed0 kernel/sched/core.c:3473
schedule+0xfe/0x460 kernel/sched/core.c:3517
schedule_timeout+0x1cc/0x260 kernel/time/timer.c:1780
do_wait_for_common kernel/sched/completion.c:83 [inline]
__wait_for_common kernel/sched/completion.c:104 [inline]
wait_for_common kernel/sched/completion.c:115 [inline]
wait_for_completion+0x427/0x8a0 kernel/sched/completion.c:136
ucma_close+0xf5/0x310 drivers/infiniband/core/ucma.c:1764
Code: 24 90 00 00 00 48 8b 00 48 0f af c1 48 89 44 24 10 48 8b 44 24 50 48
89 04 24 48 8b 44 24 48 48 89 44 24 08 e8 20 61 04 00 48 <8b> 44 24 40 48
89 84 24 c8 00 00 00 48 8b ac 24 80 00 00 00 48 81
RSP: 002b:00007ffcafbb74e0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000005 RCX: 0000000000410e91
RDX: 0000000000000000 RSI: 0000000000733c40 RDI: 0000000000000004
RBP: 0000000000000000 R08: ffffffffffffffff R09: ffffffffffffffff
R10: 00007ffcafbb7410 R11: 0000000000000293 R12: 0000000000412c30
R13: 0000000000412cc0 R14: 0000000000000000 R15: badc0ffeebadface
INFO: task syz-executor5:6987 blocked for more than 140 seconds.
Not tainted 4.19.0-rc3+ #1
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor5 D23160 6987 5452 0x00000004
Call Trace:
context_switch kernel/sched/core.c:2825 [inline]
__schedule+0x86c/0x1ed0 kernel/sched/core.c:3473
schedule+0xfe/0x460 kernel/sched/core.c:3517
schedule_timeout+0x1cc/0x260 kernel/time/timer.c:1780
do_wait_for_common kernel/sched/completion.c:83 [inline]
__wait_for_common kernel/sched/completion.c:104 [inline]
wait_for_common kernel/sched/completion.c:115 [inline]
wait_for_completion+0x427/0x8a0 kernel/sched/completion.c:136
ucma_close+0xf5/0x310 drivers/infiniband/core/ucma.c:1764
Code: 24 90 00 00 00 48 8b 00 48 0f af c1 48 89 44 24 10 48 8b 44 24 50 48
89 04 24 48 8b 44 24 48 48 89 44 24 08 e8 20 61 04 00 48 <8b> 44 24 40 48
89 84 24 c8 00 00 00 48 8b ac 24 80 00 00 00 48 81
RSP: 002b:00007ffd14741200 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000005 RCX: 0000000000410e91
RDX: 0000000000000000 RSI: 0000000000733c40 RDI: 0000000000000004
RBP: 0000000000000000 R08: ffffffffffffffff R09: ffffffffffffffff
R10: 00007ffd14741130 R11: 0000000000000293 R12: 0000000000412c30
R13: 0000000000412cc0 R14: 0000000000000000 R15: badc0ffeebadface
INFO: task syz-executor2:6990 blocked for more than 140 seconds.
Not tainted 4.19.0-rc3+ #1
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor2 D22664 6990 5447 0x00000004
Call Trace:
context_switch kernel/sched/core.c:2825 [inline]
__schedule+0x86c/0x1ed0 kernel/sched/core.c:3473
schedule+0xfe/0x460 kernel/sched/core.c:3517
schedule_timeout+0x1cc/0x260 kernel/time/timer.c:1780
do_wait_for_common kernel/sched/completion.c:83 [inline]
__wait_for_common kernel/sched/completion.c:104 [inline]
wait_for_common kernel/sched/completion.c:115 [inline]
wait_for_completion+0x427/0x8a0 kernel/sched/completion.c:136
ucma_close+0xf5/0x310 drivers/infiniband/core/ucma.c:1764
Code: 24 90 00 00 00 48 8b 00 48 0f af c1 48 89 44 24 10 48 8b 44 24 50 48
89 04 24 48 8b 44 24 48 48 89 44 24 08 e8 20 61 04 00 48 <8b> 44 24 40 48
89 84 24 c8 00 00 00 48 8b ac 24 80 00 00 00 48 81
RSP: 002b:00007ffed4ded8f0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000005 RCX: 0000000000410e91
RDX: 0000000000000000 RSI: 0000000000733c40 RDI: 0000000000000004
RBP: 0000000000000000 R08: ffffffffffffffff R09: ffffffffffffffff
R10: 00007ffed4ded820 R11: 0000000000000293 R12: 0000000000412c30
R13: 0000000000412cc0 R14: 0000000000000000 R15: badc0ffeebadface
INFO: task syz-executor4:6999 blocked for more than 140 seconds.
Not tainted 4.19.0-rc3+ #1
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor4 D23160 6999 5449 0x00000004
Call Trace:
context_switch kernel/sched/core.c:2825 [inline]
__schedule+0x86c/0x1ed0 kernel/sched/core.c:3473
schedule+0xfe/0x460 kernel/sched/core.c:3517
schedule_timeout+0x1cc/0x260 kernel/time/timer.c:1780
do_wait_for_common kernel/sched/completion.c:83 [inline]
__wait_for_common kernel/sched/completion.c:104 [inline]
wait_for_common kernel/sched/completion.c:115 [inline]
wait_for_completion+0x427/0x8a0 kernel/sched/completion.c:136
ucma_close+0xf5/0x310 drivers/infiniband/core/ucma.c:1764
Code: 28 41 0f b6 4a 01 80 f9 7a 0f 84 92 00 00 00 80 f9 6f 75 65 49 83 c2
02 41 bd 01 00 00 00 4c 89 54 24 28 45 0f b6 02 41 80 f8 <29> 74 bc 45 84
c0 74 b7 41 80 f8 2c 74 c0 49 8d 4a 01 eb 12 0f 1f
RSP: 002b:00007ffebb2e0e70 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000005 RCX: 0000000000410e91
RDX: 0000000000000000 RSI: 0000000000733c40 RDI: 0000000000000004
RBP: 0000000000000000 R08: ffffffffffffffff R09: ffffffffffffffff
R10: 00007ffebb2e0da0 R11: 0000000000000293 R12: 0000000000412c30
R13: 0000000000412cc0 R14: 0000000000000000 R15: badc0ffeebadface
INFO: task syz-executor3:7011 blocked for more than 140 seconds.
Not tainted 4.19.0-rc3+ #1
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor3 D23160 7011 5444 0x00000004
Call Trace:
context_switch kernel/sched/core.c:2825 [inline]
__schedule+0x86c/0x1ed0 kernel/sched/core.c:3473
schedule+0xfe/0x460 kernel/sched/core.c:3517
schedule_timeout+0x1cc/0x260 kernel/time/timer.c:1780
do_wait_for_common kernel/sched/completion.c:83 [inline]
__wait_for_common kernel/sched/completion.c:104 [inline]
wait_for_common kernel/sched/completion.c:115 [inline]
wait_for_completion+0x427/0x8a0 kernel/sched/completion.c:136
ucma_close+0xf5/0x310 drivers/infiniband/core/ucma.c:1764
Code: 24 90 00 00 00 48 8b 00 48 0f af c1 48 89 44 24 10 48 8b 44 24 50 48
89 04 24 48 8b 44 24 48 48 89 44 24 08 e8 20 61 04 00 48 <8b> 44 24 40 48
89 84 24 c8 00 00 00 48 8b ac 24 80 00 00 00 48 81
RSP: 002b:00007ffd6f0585a0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000005 RCX: 0000000000410e91
RDX: 0000000000000000 RSI: 0000000000733c40 RDI: 0000000000000004
RBP: 0000000000000000 R08: ffffffffffffffff R09: ffffffffffffffff
R10: 00007ffd6f0584d0 R11: 0000000000000293 R12: 0000000000412c30
R13: 0000000000412cc0 R14: 0000000000000000 R15: badc0ffeebadface
Showing all locks held in the system:
1 lock held by khungtaskd/984:
#0: 00000000aeabfca6 (rcu_read_lock){....}, at:
debug_show_all_locks+0xd0/0x424 kernel/locking/lockdep.c:4436
1 lock held by rsyslogd/5207:
2 locks held by getty/5297:
#0: 00000000685cb9fa (&tty->ldisc_sem){++++}, at:
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:353
#1: 000000002733c782 (&ldata->atomic_read_lock){+.+.}, at:
n_tty_read+0x335/0x1ce0 drivers/tty/n_tty.c:2140
2 locks held by getty/5298:
#0: 0000000003e183c3 (&tty->ldisc_sem){++++}, at:
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:353
#1: 000000009f465eb7 (&ldata->atomic_read_lock){+.+.}, at:
n_tty_read+0x335/0x1ce0 drivers/tty/n_tty.c:2140
2 locks held by getty/5299:
#0: 00000000d118b655 (&tty->ldisc_sem){++++}, at:
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:353
#1: 00000000f553a115 (&ldata->atomic_read_lock){+.+.}, at:
n_tty_read+0x335/0x1ce0 drivers/tty/n_tty.c:2140
2 locks held by getty/5300:
#0: 00000000d83a9052 (&tty->ldisc_sem){++++}, at:
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:353
#1: 00000000814fac6c (&ldata->atomic_read_lock){+.+.}, at:
n_tty_read+0x335/0x1ce0 drivers/tty/n_tty.c:2140
2 locks held by getty/5301:
#0: 00000000f04fb222 (&tty->ldisc_sem){++++}, at:
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:353
#1: 00000000b6323d51 (&ldata->atomic_read_lock){+.+.}, at:
n_tty_read+0x335/0x1ce0 drivers/tty/n_tty.c:2140
2 locks held by getty/5302:
#0: 000000004881cc51 (&tty->ldisc_sem){++++}, at:
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:353
#1: 00000000c9a0b60d (&ldata->atomic_read_lock){+.+.}, at:
n_tty_read+0x335/0x1ce0 drivers/tty/n_tty.c:2140
2 locks held by getty/5303:
#0: 000000001aea2de3 (&tty->ldisc_sem){++++}, at:
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:353
#1: 00000000e9bad739 (&ldata->atomic_read_lock){+.+.}, at:
n_tty_read+0x335/0x1ce0 drivers/tty/n_tty.c:2140
=============================================
NMI backtrace for cpu 0
CPU: 0 PID: 984 Comm: khungtaskd Not tainted 4.19.0-rc3+ #1
nmi_trigger_cpumask_backtrace+0x1b3/0x1ed lib/nmi_backtrace.c:62
arch_trigger_cpumask_backtrace+0x14/0x20 arch/x86/kernel/apic/hw_nmi.c:38
trigger_all_cpu_backtrace include/linux/nmi.h:144 [inline]
check_hung_uninterruptible_tasks kernel/hung_task.c:204 [inline]
watchdog+0xb3e/0x1050 kernel/hung_task.c:265
kthread+0x35a/0x420 kernel/kthread.c:246
ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:413
Sending NMI from CPU 0 to CPUs 1:
NMI backtrace for cpu 1 skipped: idling at native_safe_halt+0x6/0x10
arch/x86/include/asm/irqflags.h:57
Tested on:
commit: 71e39c46b31c ucma: fix a use-after-free
git tree: https://github.com/congwang/linux.git ucma
console output: https://syzkaller.appspot.com/x/log.txt?x=179d3c2a400000
kernel config: https://syzkaller.appspot.com/x/.config?x=9917ff4b798e1a1e
syzbot has tested the proposed patch but the reproducer still triggered
crash:
INFO: task hung in ucma_close
8021q: adding VLAN 0 to HW filter on device team0
8021q: adding VLAN 0 to HW filter on device team0
8021q: adding VLAN 0 to HW filter on device team0
8021q: adding VLAN 0 to HW filter on device team0
INFO: task syz-executor1:6951 blocked for more than 140 seconds.
Not tainted 4.19.0-rc3+ #1
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor1 D23160 6951 5451 0x00000004
Call Trace:
context_switch kernel/sched/core.c:2825 [inline]
__schedule+0x86c/0x1ed0 kernel/sched/core.c:3473
schedule+0xfe/0x460 kernel/sched/core.c:3517
schedule_timeout+0x1cc/0x260 kernel/time/timer.c:1780
do_wait_for_common kernel/sched/completion.c:83 [inline]
__wait_for_common kernel/sched/completion.c:104 [inline]
wait_for_common kernel/sched/completion.c:115 [inline]
wait_for_completion+0x427/0x8a0 kernel/sched/completion.c:136
ucma_close+0xf5/0x310 drivers/infiniband/core/ucma.c:1764
__fput+0x385/0xa30 fs/file_table.c:278
____fput+0x15/0x20 fs/file_table.c:309
task_work_run+0x1e8/0x2a0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:193 [inline]
exit_to_usermode_loop+0x318/0x380 arch/x86/entry/common.c:166
prepare_exit_to_usermode arch/x86/entry/common.c:197 [inline]
syscall_return_slowpath arch/x86/entry/common.c:268 [inline]
do_syscall_64+0x6be/0x820 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x410e91
____fput+0x15/0x20 fs/file_table.c:309
task_work_run+0x1e8/0x2a0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:193 [inline]
exit_to_usermode_loop+0x318/0x380 arch/x86/entry/common.c:166
prepare_exit_to_usermode arch/x86/entry/common.c:197 [inline]
syscall_return_slowpath arch/x86/entry/common.c:268 [inline]
do_syscall_64+0x6be/0x820 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Code: 24 90 00 00 00 48 8b 00 48 0f af c1 48 89 44 24 10 48 8b 44 24 50 48
89 04 24 48 8b 44 24 48 48 89 44 24 08 e8 20 61 04 00 48 <8b> 44 24 40 48
89 84 24 c8 00 00 00 48 8b ac 24 80 00 00 00 48 81
RSP: 002b:00007ffcfd9f8870 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000006 RCX: 0000000000410e91
RDX: 0000000000000000 RSI: 0000000000733c40 RDI: 0000000000000005
RBP: 0000000000000000 R08: ffffffffffffffff R09: ffffffffffffffff
R10: 00007ffcfd9f87a0 R11: 0000000000000293 R12: 0000000000412c30
R13: 0000000000412cc0 R14: 0000000000000000 R15: badc0ffeebadface
INFO: task syz-executor0:6959 blocked for more than 140 seconds.
Not tainted 4.19.0-rc3+ #1
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor0 D23160 6959 5446 0x00000004
Call Trace:
context_switch kernel/sched/core.c:2825 [inline]
__schedule+0x86c/0x1ed0 kernel/sched/core.c:3473
schedule+0xfe/0x460 kernel/sched/core.c:3517
schedule_timeout+0x1cc/0x260 kernel/time/timer.c:1780
do_wait_for_common kernel/sched/completion.c:83 [inline]
__wait_for_common kernel/sched/completion.c:104 [inline]
wait_for_common kernel/sched/completion.c:115 [inline]
wait_for_completion+0x427/0x8a0 kernel/sched/completion.c:136
ucma_close+0xf5/0x310 drivers/infiniband/core/ucma.c:1764
__fput+0x385/0xa30 fs/file_table.c:278
____fput+0x15/0x20 fs/file_table.c:309
task_work_run+0x1e8/0x2a0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:193 [inline]
exit_to_usermode_loop+0x318/0x380 arch/x86/entry/common.c:166
prepare_exit_to_usermode arch/x86/entry/common.c:197 [inline]
syscall_return_slowpath arch/x86/entry/common.c:268 [inline]
do_syscall_64+0x6be/0x820 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x410e91
____fput+0x15/0x20 fs/file_table.c:309
task_work_run+0x1e8/0x2a0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:193 [inline]
exit_to_usermode_loop+0x318/0x380 arch/x86/entry/common.c:166
prepare_exit_to_usermode arch/x86/entry/common.c:197 [inline]
syscall_return_slowpath arch/x86/entry/common.c:268 [inline]
do_syscall_64+0x6be/0x820 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Code: 24 90 00 00 00 48 8b 00 48 0f af c1 48 89 44 24 10 48 8b 44 24 50 48
89 04 24 48 8b 44 24 48 48 89 44 24 08 e8 20 61 04 00 48 <8b> 44 24 40 48
89 84 24 c8 00 00 00 48 8b ac 24 80 00 00 00 48 81
RSP: 002b:00007ffcafbb74e0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000005 RCX: 0000000000410e91
RDX: 0000000000000000 RSI: 0000000000733c40 RDI: 0000000000000004
RBP: 0000000000000000 R08: ffffffffffffffff R09: ffffffffffffffff
R10: 00007ffcafbb7410 R11: 0000000000000293 R12: 0000000000412c30
R13: 0000000000412cc0 R14: 0000000000000000 R15: badc0ffeebadface
INFO: task syz-executor5:6987 blocked for more than 140 seconds.
Not tainted 4.19.0-rc3+ #1
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor5 D23160 6987 5452 0x00000004
Call Trace:
context_switch kernel/sched/core.c:2825 [inline]
__schedule+0x86c/0x1ed0 kernel/sched/core.c:3473
schedule+0xfe/0x460 kernel/sched/core.c:3517
schedule_timeout+0x1cc/0x260 kernel/time/timer.c:1780
do_wait_for_common kernel/sched/completion.c:83 [inline]
__wait_for_common kernel/sched/completion.c:104 [inline]
wait_for_common kernel/sched/completion.c:115 [inline]
wait_for_completion+0x427/0x8a0 kernel/sched/completion.c:136
ucma_close+0xf5/0x310 drivers/infiniband/core/ucma.c:1764
__fput+0x385/0xa30 fs/file_table.c:278
____fput+0x15/0x20 fs/file_table.c:309
task_work_run+0x1e8/0x2a0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:193 [inline]
exit_to_usermode_loop+0x318/0x380 arch/x86/entry/common.c:166
prepare_exit_to_usermode arch/x86/entry/common.c:197 [inline]
syscall_return_slowpath arch/x86/entry/common.c:268 [inline]
do_syscall_64+0x6be/0x820 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x410e91
____fput+0x15/0x20 fs/file_table.c:309
task_work_run+0x1e8/0x2a0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:193 [inline]
exit_to_usermode_loop+0x318/0x380 arch/x86/entry/common.c:166
prepare_exit_to_usermode arch/x86/entry/common.c:197 [inline]
syscall_return_slowpath arch/x86/entry/common.c:268 [inline]
do_syscall_64+0x6be/0x820 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Code: 24 90 00 00 00 48 8b 00 48 0f af c1 48 89 44 24 10 48 8b 44 24 50 48
89 04 24 48 8b 44 24 48 48 89 44 24 08 e8 20 61 04 00 48 <8b> 44 24 40 48
89 84 24 c8 00 00 00 48 8b ac 24 80 00 00 00 48 81
RSP: 002b:00007ffd14741200 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000005 RCX: 0000000000410e91
RDX: 0000000000000000 RSI: 0000000000733c40 RDI: 0000000000000004
RBP: 0000000000000000 R08: ffffffffffffffff R09: ffffffffffffffff
R10: 00007ffd14741130 R11: 0000000000000293 R12: 0000000000412c30
R13: 0000000000412cc0 R14: 0000000000000000 R15: badc0ffeebadface
INFO: task syz-executor2:6990 blocked for more than 140 seconds.
Not tainted 4.19.0-rc3+ #1
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor2 D22664 6990 5447 0x00000004
Call Trace:
context_switch kernel/sched/core.c:2825 [inline]
__schedule+0x86c/0x1ed0 kernel/sched/core.c:3473
schedule+0xfe/0x460 kernel/sched/core.c:3517
schedule_timeout+0x1cc/0x260 kernel/time/timer.c:1780
do_wait_for_common kernel/sched/completion.c:83 [inline]
__wait_for_common kernel/sched/completion.c:104 [inline]
wait_for_common kernel/sched/completion.c:115 [inline]
wait_for_completion+0x427/0x8a0 kernel/sched/completion.c:136
ucma_close+0xf5/0x310 drivers/infiniband/core/ucma.c:1764
__fput+0x385/0xa30 fs/file_table.c:278
____fput+0x15/0x20 fs/file_table.c:309
task_work_run+0x1e8/0x2a0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:193 [inline]
exit_to_usermode_loop+0x318/0x380 arch/x86/entry/common.c:166
prepare_exit_to_usermode arch/x86/entry/common.c:197 [inline]
syscall_return_slowpath arch/x86/entry/common.c:268 [inline]
do_syscall_64+0x6be/0x820 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x410e91
____fput+0x15/0x20 fs/file_table.c:309
task_work_run+0x1e8/0x2a0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:193 [inline]
exit_to_usermode_loop+0x318/0x380 arch/x86/entry/common.c:166
prepare_exit_to_usermode arch/x86/entry/common.c:197 [inline]
syscall_return_slowpath arch/x86/entry/common.c:268 [inline]
do_syscall_64+0x6be/0x820 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Code: 24 90 00 00 00 48 8b 00 48 0f af c1 48 89 44 24 10 48 8b 44 24 50 48
89 04 24 48 8b 44 24 48 48 89 44 24 08 e8 20 61 04 00 48 <8b> 44 24 40 48
89 84 24 c8 00 00 00 48 8b ac 24 80 00 00 00 48 81
RSP: 002b:00007ffed4ded8f0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000005 RCX: 0000000000410e91
RDX: 0000000000000000 RSI: 0000000000733c40 RDI: 0000000000000004
RBP: 0000000000000000 R08: ffffffffffffffff R09: ffffffffffffffff
R10: 00007ffed4ded820 R11: 0000000000000293 R12: 0000000000412c30
R13: 0000000000412cc0 R14: 0000000000000000 R15: badc0ffeebadface
INFO: task syz-executor4:6999 blocked for more than 140 seconds.
Not tainted 4.19.0-rc3+ #1
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor4 D23160 6999 5449 0x00000004
Call Trace:
context_switch kernel/sched/core.c:2825 [inline]
__schedule+0x86c/0x1ed0 kernel/sched/core.c:3473
schedule+0xfe/0x460 kernel/sched/core.c:3517
schedule_timeout+0x1cc/0x260 kernel/time/timer.c:1780
do_wait_for_common kernel/sched/completion.c:83 [inline]
__wait_for_common kernel/sched/completion.c:104 [inline]
wait_for_common kernel/sched/completion.c:115 [inline]
wait_for_completion+0x427/0x8a0 kernel/sched/completion.c:136
ucma_close+0xf5/0x310 drivers/infiniband/core/ucma.c:1764
__fput+0x385/0xa30 fs/file_table.c:278
____fput+0x15/0x20 fs/file_table.c:309
task_work_run+0x1e8/0x2a0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:193 [inline]
exit_to_usermode_loop+0x318/0x380 arch/x86/entry/common.c:166
prepare_exit_to_usermode arch/x86/entry/common.c:197 [inline]
syscall_return_slowpath arch/x86/entry/common.c:268 [inline]
do_syscall_64+0x6be/0x820 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x410e91
____fput+0x15/0x20 fs/file_table.c:309
task_work_run+0x1e8/0x2a0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:193 [inline]
exit_to_usermode_loop+0x318/0x380 arch/x86/entry/common.c:166
prepare_exit_to_usermode arch/x86/entry/common.c:197 [inline]
syscall_return_slowpath arch/x86/entry/common.c:268 [inline]
do_syscall_64+0x6be/0x820 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Code: 28 41 0f b6 4a 01 80 f9 7a 0f 84 92 00 00 00 80 f9 6f 75 65 49 83 c2
02 41 bd 01 00 00 00 4c 89 54 24 28 45 0f b6 02 41 80 f8 <29> 74 bc 45 84
c0 74 b7 41 80 f8 2c 74 c0 49 8d 4a 01 eb 12 0f 1f
RSP: 002b:00007ffebb2e0e70 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000005 RCX: 0000000000410e91
RDX: 0000000000000000 RSI: 0000000000733c40 RDI: 0000000000000004
RBP: 0000000000000000 R08: ffffffffffffffff R09: ffffffffffffffff
R10: 00007ffebb2e0da0 R11: 0000000000000293 R12: 0000000000412c30
R13: 0000000000412cc0 R14: 0000000000000000 R15: badc0ffeebadface
INFO: task syz-executor3:7011 blocked for more than 140 seconds.
Not tainted 4.19.0-rc3+ #1
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor3 D23160 7011 5444 0x00000004
Call Trace:
context_switch kernel/sched/core.c:2825 [inline]
__schedule+0x86c/0x1ed0 kernel/sched/core.c:3473
schedule+0xfe/0x460 kernel/sched/core.c:3517
schedule_timeout+0x1cc/0x260 kernel/time/timer.c:1780
do_wait_for_common kernel/sched/completion.c:83 [inline]
__wait_for_common kernel/sched/completion.c:104 [inline]
wait_for_common kernel/sched/completion.c:115 [inline]
wait_for_completion+0x427/0x8a0 kernel/sched/completion.c:136
ucma_close+0xf5/0x310 drivers/infiniband/core/ucma.c:1764
__fput+0x385/0xa30 fs/file_table.c:278
____fput+0x15/0x20 fs/file_table.c:309
task_work_run+0x1e8/0x2a0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:193 [inline]
exit_to_usermode_loop+0x318/0x380 arch/x86/entry/common.c:166
prepare_exit_to_usermode arch/x86/entry/common.c:197 [inline]
syscall_return_slowpath arch/x86/entry/common.c:268 [inline]
do_syscall_64+0x6be/0x820 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x410e91
____fput+0x15/0x20 fs/file_table.c:309
task_work_run+0x1e8/0x2a0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:193 [inline]
exit_to_usermode_loop+0x318/0x380 arch/x86/entry/common.c:166
prepare_exit_to_usermode arch/x86/entry/common.c:197 [inline]
syscall_return_slowpath arch/x86/entry/common.c:268 [inline]
do_syscall_64+0x6be/0x820 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Code: 24 90 00 00 00 48 8b 00 48 0f af c1 48 89 44 24 10 48 8b 44 24 50 48
89 04 24 48 8b 44 24 48 48 89 44 24 08 e8 20 61 04 00 48 <8b> 44 24 40 48
89 84 24 c8 00 00 00 48 8b ac 24 80 00 00 00 48 81
RSP: 002b:00007ffd6f0585a0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000005 RCX: 0000000000410e91
RDX: 0000000000000000 RSI: 0000000000733c40 RDI: 0000000000000004
RBP: 0000000000000000 R08: ffffffffffffffff R09: ffffffffffffffff
R10: 00007ffd6f0584d0 R11: 0000000000000293 R12: 0000000000412c30
R13: 0000000000412cc0 R14: 0000000000000000 R15: badc0ffeebadface
Showing all locks held in the system:
1 lock held by khungtaskd/984:
#0: 00000000aeabfca6 (rcu_read_lock){....}, at:
debug_show_all_locks+0xd0/0x424 kernel/locking/lockdep.c:4436
1 lock held by rsyslogd/5207:
2 locks held by getty/5297:
#0: 00000000685cb9fa (&tty->ldisc_sem){++++}, at:
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:353
#1: 000000002733c782 (&ldata->atomic_read_lock){+.+.}, at:
n_tty_read+0x335/0x1ce0 drivers/tty/n_tty.c:2140
2 locks held by getty/5298:
#0: 0000000003e183c3 (&tty->ldisc_sem){++++}, at:
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:353
#1: 000000009f465eb7 (&ldata->atomic_read_lock){+.+.}, at:
n_tty_read+0x335/0x1ce0 drivers/tty/n_tty.c:2140
2 locks held by getty/5299:
#0: 00000000d118b655 (&tty->ldisc_sem){++++}, at:
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:353
#1: 00000000f553a115 (&ldata->atomic_read_lock){+.+.}, at:
n_tty_read+0x335/0x1ce0 drivers/tty/n_tty.c:2140
2 locks held by getty/5300:
#0: 00000000d83a9052 (&tty->ldisc_sem){++++}, at:
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:353
#1: 00000000814fac6c (&ldata->atomic_read_lock){+.+.}, at:
n_tty_read+0x335/0x1ce0 drivers/tty/n_tty.c:2140
2 locks held by getty/5301:
#0: 00000000f04fb222 (&tty->ldisc_sem){++++}, at:
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:353
#1: 00000000b6323d51 (&ldata->atomic_read_lock){+.+.}, at:
n_tty_read+0x335/0x1ce0 drivers/tty/n_tty.c:2140
2 locks held by getty/5302:
#0: 000000004881cc51 (&tty->ldisc_sem){++++}, at:
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:353
#1: 00000000c9a0b60d (&ldata->atomic_read_lock){+.+.}, at:
n_tty_read+0x335/0x1ce0 drivers/tty/n_tty.c:2140
2 locks held by getty/5303:
#0: 000000001aea2de3 (&tty->ldisc_sem){++++}, at:
ldsem_down_read+0x32/0x40 drivers/tty/tty_ldsem.c:353
#1: 00000000e9bad739 (&ldata->atomic_read_lock){+.+.}, at:
n_tty_read+0x335/0x1ce0 drivers/tty/n_tty.c:2140
=============================================
NMI backtrace for cpu 0
CPU: 0 PID: 984 Comm: khungtaskd Not tainted 4.19.0-rc3+ #1
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1c4/0x2b4 lib/dump_stack.c:113
nmi_cpu_backtrace.cold.3+0x63/0xa2 lib/nmi_backtrace.c:101
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1c4/0x2b4 lib/dump_stack.c:113
nmi_trigger_cpumask_backtrace+0x1b3/0x1ed lib/nmi_backtrace.c:62
arch_trigger_cpumask_backtrace+0x14/0x20 arch/x86/kernel/apic/hw_nmi.c:38
trigger_all_cpu_backtrace include/linux/nmi.h:144 [inline]
check_hung_uninterruptible_tasks kernel/hung_task.c:204 [inline]
watchdog+0xb3e/0x1050 kernel/hung_task.c:265
kthread+0x35a/0x420 kernel/kthread.c:246
ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:413
Sending NMI from CPU 0 to CPUs 1:
NMI backtrace for cpu 1 skipped: idling at native_safe_halt+0x6/0x10
arch/x86/include/asm/irqflags.h:57
Tested on:
commit: 71e39c46b31c ucma: fix a use-after-free
git tree: https://github.com/congwang/linux.git ucma
console output: https://syzkaller.appspot.com/x/log.txt?x=179d3c2a400000
kernel config: https://syzkaller.appspot.com/x/.config?x=9917ff4b798e1a1e
syzbot
Sep 12, 2018, 7:03:02āÆPM9/12/18
to syzkall...@googlegroups.com, xiyou.w...@gmail.com
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger
crash:
Reported-and-tested-by:
syzbot+da2591...@syzkaller.appspotmail.com
Tested on:
commit: b6acd6a14c74 ucma: fix a use-after-free
syzbot has tested the proposed patch and the reproducer did not trigger
crash:
Reported-and-tested-by:
syzbot+da2591...@syzkaller.appspotmail.com
Tested on:
commit: b6acd6a14c74 ucma: fix a use-after-free
git tree: https://github.com/congwang/linux.git ucma
kernel config: https://syzkaller.appspot.com/x/.config?x=8f59875069d721b6
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
Note: testing is done by a robot and is best-effort only.
Reply all
Reply to author
Forward
0 new messages