[v5.15] KASAN: use-after-free Read in smc_fback_error_report
0 views
Skip to first unread message
syzbot
Mar 30, 2024, 5:24:19 PMMar 30
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 9465fef4ae35 Linux 5.15.153
git tree: linux-5.15.y
console output: https://syzkaller.appspot.com/x/log.txt?x=10cfa6e5180000
kernel config: https://syzkaller.appspot.com/x/.config?x=74ff83133fa97f6c
dashboard link: https://syzkaller.appspot.com/bug?extid=044f5fa86a08a230ad01
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/3c82fda40b43/disk-9465fef4.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/ec13893dc103/vmlinux-9465fef4.xz
kernel image: https://storage.googleapis.com/syzbot-assets/7b44910e5283/Image-9465fef4.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+044f5f...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in smc_fback_error_report+0x6c/0x98 net/smc/af_smc.c:656
Read of size 8 at addr ffff0000ec0e0538 by task swapper/1/0
CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.15.153-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Call trace:
dump_backtrace+0x0/0x530 arch/arm64/kernel/stacktrace.c:152
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:216
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
print_address_description+0x7c/0x3f0 mm/kasan/report.c:248
__kasan_report mm/kasan/report.c:434 [inline]
kasan_report+0x174/0x1e4 mm/kasan/report.c:451
__asan_report_load8_noabort+0x44/0x50 mm/kasan/report_generic.c:309
smc_fback_error_report+0x6c/0x98 net/smc/af_smc.c:656
sk_error_report+0x44/0x374 net/core/sock.c:339
tcp_write_err net/ipv4/tcp_timer.c:71 [inline]
tcp_write_timeout net/ipv4/tcp_timer.c:277 [inline]
tcp_retransmit_timer+0xc40/0x1d3c net/ipv4/tcp_timer.c:532
tcp_write_timer_handler+0x1e8/0x8a8 net/ipv4/tcp_timer.c:644
tcp_write_timer+0x178/0x318 net/ipv4/tcp_timer.c:664
call_timer_fn+0x19c/0x8f0 kernel/time/timer.c:1421
expire_timers kernel/time/timer.c:1466 [inline]
__run_timers+0x554/0x718 kernel/time/timer.c:1737
run_timer_softirq+0x7c/0x114 kernel/time/timer.c:1750
__do_softirq+0x344/0xdb0 kernel/softirq.c:558
do_softirq_own_stack include/asm-generic/softirq_stack.h:10 [inline]
invoke_softirq kernel/softirq.c:439 [inline]
__irq_exit_rcu+0x264/0x4d4 kernel/softirq.c:637
irq_exit+0x14/0x88 kernel/softirq.c:661
handle_domain_irq+0xf4/0x178 kernel/irq/irqdesc.c:710
gic_handle_irq+0x78/0x1c8 drivers/irqchip/irq-gic-v3.c:758
call_on_irq_stack+0x24/0x4c arch/arm64/kernel/entry.S:899
do_interrupt_handler+0x74/0x94 arch/arm64/kernel/entry-common.c:267
el1_interrupt+0x30/0x58 arch/arm64/kernel/entry-common.c:454
el1h_64_irq_handler+0x18/0x24 arch/arm64/kernel/entry-common.c:470
el1h_64_irq+0x78/0x7c arch/arm64/kernel/entry.S:580
arch_local_irq_enable+0xc/0x18 arch/arm64/include/asm/irqflags.h:35
default_idle_call+0xcc/0x4a8 kernel/sched/idle.c:112
cpuidle_idle_call kernel/sched/idle.c:194 [inline]
do_idle+0x1d4/0x4dc kernel/sched/idle.c:306
cpu_startup_entry+0x24/0x28 kernel/sched/idle.c:403
secondary_start_kernel+0x240/0x298 arch/arm64/kernel/smp.c:265
__secondary_switched+0x94/0x98 arch/arm64/kernel/head.S:661
The buggy address belongs to the page:
page:00000000c7759db4 refcount:0 mapcount:-128 mapping:0000000000000000 index:0x3 pfn:0x12c0e0
flags: 0x5ffc00000000000(node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffc00000000000 fffffc0003668808 fffffc0003acd008 0000000000000000
raw: 0000000000000003 0000000000000004 00000000ffffff7f 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff0000ec0e0400: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff0000ec0e0480: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff0000ec0e0500: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff0000ec0e0580: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff0000ec0e0600: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
IPVS: wrr: TCP 172.20.20.170:21 - no destination available
IPVS: wrr: TCP 172.20.20.170:21 - no destination available
IPVS: wrr: TCP 172.20.20.170:21 - no destination available
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 9465fef4ae35 Linux 5.15.153
git tree: linux-5.15.y
console output: https://syzkaller.appspot.com/x/log.txt?x=10cfa6e5180000
kernel config: https://syzkaller.appspot.com/x/.config?x=74ff83133fa97f6c
dashboard link: https://syzkaller.appspot.com/bug?extid=044f5fa86a08a230ad01
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/3c82fda40b43/disk-9465fef4.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/ec13893dc103/vmlinux-9465fef4.xz
kernel image: https://storage.googleapis.com/syzbot-assets/7b44910e5283/Image-9465fef4.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+044f5f...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in smc_fback_error_report+0x6c/0x98 net/smc/af_smc.c:656
Read of size 8 at addr ffff0000ec0e0538 by task swapper/1/0
CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.15.153-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Call trace:
dump_backtrace+0x0/0x530 arch/arm64/kernel/stacktrace.c:152
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:216
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
print_address_description+0x7c/0x3f0 mm/kasan/report.c:248
__kasan_report mm/kasan/report.c:434 [inline]
kasan_report+0x174/0x1e4 mm/kasan/report.c:451
__asan_report_load8_noabort+0x44/0x50 mm/kasan/report_generic.c:309
smc_fback_error_report+0x6c/0x98 net/smc/af_smc.c:656
sk_error_report+0x44/0x374 net/core/sock.c:339
tcp_write_err net/ipv4/tcp_timer.c:71 [inline]
tcp_write_timeout net/ipv4/tcp_timer.c:277 [inline]
tcp_retransmit_timer+0xc40/0x1d3c net/ipv4/tcp_timer.c:532
tcp_write_timer_handler+0x1e8/0x8a8 net/ipv4/tcp_timer.c:644
tcp_write_timer+0x178/0x318 net/ipv4/tcp_timer.c:664
call_timer_fn+0x19c/0x8f0 kernel/time/timer.c:1421
expire_timers kernel/time/timer.c:1466 [inline]
__run_timers+0x554/0x718 kernel/time/timer.c:1737
run_timer_softirq+0x7c/0x114 kernel/time/timer.c:1750
__do_softirq+0x344/0xdb0 kernel/softirq.c:558
do_softirq_own_stack include/asm-generic/softirq_stack.h:10 [inline]
invoke_softirq kernel/softirq.c:439 [inline]
__irq_exit_rcu+0x264/0x4d4 kernel/softirq.c:637
irq_exit+0x14/0x88 kernel/softirq.c:661
handle_domain_irq+0xf4/0x178 kernel/irq/irqdesc.c:710
gic_handle_irq+0x78/0x1c8 drivers/irqchip/irq-gic-v3.c:758
call_on_irq_stack+0x24/0x4c arch/arm64/kernel/entry.S:899
do_interrupt_handler+0x74/0x94 arch/arm64/kernel/entry-common.c:267
el1_interrupt+0x30/0x58 arch/arm64/kernel/entry-common.c:454
el1h_64_irq_handler+0x18/0x24 arch/arm64/kernel/entry-common.c:470
el1h_64_irq+0x78/0x7c arch/arm64/kernel/entry.S:580
arch_local_irq_enable+0xc/0x18 arch/arm64/include/asm/irqflags.h:35
default_idle_call+0xcc/0x4a8 kernel/sched/idle.c:112
cpuidle_idle_call kernel/sched/idle.c:194 [inline]
do_idle+0x1d4/0x4dc kernel/sched/idle.c:306
cpu_startup_entry+0x24/0x28 kernel/sched/idle.c:403
secondary_start_kernel+0x240/0x298 arch/arm64/kernel/smp.c:265
__secondary_switched+0x94/0x98 arch/arm64/kernel/head.S:661
The buggy address belongs to the page:
page:00000000c7759db4 refcount:0 mapcount:-128 mapping:0000000000000000 index:0x3 pfn:0x12c0e0
flags: 0x5ffc00000000000(node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffc00000000000 fffffc0003668808 fffffc0003acd008 0000000000000000
raw: 0000000000000003 0000000000000004 00000000ffffff7f 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff0000ec0e0400: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff0000ec0e0480: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff0000ec0e0500: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff0000ec0e0580: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff0000ec0e0600: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
IPVS: wrr: TCP 172.20.20.170:21 - no destination available
IPVS: wrr: TCP 172.20.20.170:21 - no destination available
IPVS: wrr: TCP 172.20.20.170:21 - no destination available
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Reply all
Reply to author
Forward
0 new messages