KASAN: use-after-free Write in padata_parallel_worker
7 views
Skip to first unread message
syzbot
May 2, 2019, 12:03:08 PM5/2/19
to syzkaller...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 1c046f37 Linux 4.14.115
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=16d64670a00000
kernel config: https://syzkaller.appspot.com/x/.config?x=453b2eab9a394b3e
dashboard link: https://syzkaller.appspot.com/bug?extid=51df2d83e8ab39e40323
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+51df2d...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in list_replace include/linux/list.h:141 [inline]
BUG: KASAN: use-after-free in list_replace_init include/linux/list.h:149
[inline]
BUG: KASAN: use-after-free in padata_parallel_worker+0x328/0x3c0
kernel/padata.c:74
Write of size 8 at addr ffff8880684a4898 by task kworker/0:3/6774
CPU: 0 PID: 6774 Comm: kworker/0:3 Not tainted 4.14.115 #5
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Workqueue: pencrypt padata_parallel_worker
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x138/0x19c lib/dump_stack.c:53
print_address_description.cold+0x7c/0x1dc mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report mm/kasan/report.c:409 [inline]
kasan_report.cold+0x11e/0x2db mm/kasan/report.c:393
__asan_report_store8_noabort+0x17/0x20 mm/kasan/report.c:435
list_replace include/linux/list.h:141 [inline]
list_replace_init include/linux/list.h:149 [inline]
padata_parallel_worker+0x328/0x3c0 kernel/padata.c:74
process_one_work+0x868/0x1610 kernel/workqueue.c:2114
worker_thread+0x5d9/0x1050 kernel/workqueue.c:2248
kthread+0x31c/0x430 kernel/kthread.c:232
ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:402
Allocated by task 23535:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
save_stack+0x45/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc mm/kasan/kasan.c:551 [inline]
kasan_kmalloc+0xce/0xf0 mm/kasan/kasan.c:529
__do_kmalloc mm/slab.c:3720 [inline]
__kmalloc+0x15d/0x7a0 mm/slab.c:3729
kmalloc include/linux/slab.h:493 [inline]
kzalloc include/linux/slab.h:661 [inline]
tls_push_record+0x10a/0x1210 net/tls/tls_sw.c:250
tls_sw_sendmsg+0x9ea/0x1020 net/tls/tls_sw.c:457
inet_sendmsg+0x128/0x500 net/ipv4/af_inet.c:762
sock_sendmsg_nosec net/socket.c:646 [inline]
sock_sendmsg+0xd0/0x110 net/socket.c:656
___sys_sendmsg+0x70c/0x850 net/socket.c:2062
__sys_sendmsg+0xb9/0x140 net/socket.c:2096
SYSC_sendmsg net/socket.c:2107 [inline]
SyS_sendmsg+0x2d/0x50 net/socket.c:2103
do_syscall_64+0x1eb/0x630 arch/x86/entry/common.c:289
entry_SYSCALL_64_after_hwframe+0x42/0xb7
Freed by task 23535:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
save_stack+0x45/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0x75/0xc0 mm/kasan/kasan.c:524
__cache_free mm/slab.c:3496 [inline]
kfree+0xcc/0x270 mm/slab.c:3815
tls_push_record+0xc08/0x1210 net/tls/tls_sw.c:293
tls_sw_sendmsg+0x9ea/0x1020 net/tls/tls_sw.c:457
inet_sendmsg+0x128/0x500 net/ipv4/af_inet.c:762
sock_sendmsg_nosec net/socket.c:646 [inline]
sock_sendmsg+0xd0/0x110 net/socket.c:656
___sys_sendmsg+0x70c/0x850 net/socket.c:2062
__sys_sendmsg+0xb9/0x140 net/socket.c:2096
SYSC_sendmsg net/socket.c:2107 [inline]
SyS_sendmsg+0x2d/0x50 net/socket.c:2103
do_syscall_64+0x1eb/0x630 arch/x86/entry/common.c:289
entry_SYSCALL_64_after_hwframe+0x42/0xb7
The buggy address belongs to the object at ffff8880684a4840
which belongs to the cache kmalloc-256 of size 256
The buggy address is located 88 bytes inside of
256-byte region [ffff8880684a4840, ffff8880684a4940)
The buggy address belongs to the page:
page:ffffea0001a12900 count:1 mapcount:0 mapping:ffff8880684a40c0
index:0xffff8880684a4ac0
flags: 0x1fffc0000000100(slab)
raw: 01fffc0000000100 ffff8880684a40c0 ffff8880684a4ac0 000000010000000b
raw: ffffea0002978ea0 ffffea00022b2960 ffff8880aa8007c0 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8880684a4780: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc
ffff8880684a4800: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
> ffff8880684a4880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8880684a4900: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
ffff8880684a4980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following crash on:
HEAD commit: 1c046f37 Linux 4.14.115
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=16d64670a00000
kernel config: https://syzkaller.appspot.com/x/.config?x=453b2eab9a394b3e
dashboard link: https://syzkaller.appspot.com/bug?extid=51df2d83e8ab39e40323
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+51df2d...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in list_replace include/linux/list.h:141 [inline]
BUG: KASAN: use-after-free in list_replace_init include/linux/list.h:149
[inline]
BUG: KASAN: use-after-free in padata_parallel_worker+0x328/0x3c0
kernel/padata.c:74
Write of size 8 at addr ffff8880684a4898 by task kworker/0:3/6774
CPU: 0 PID: 6774 Comm: kworker/0:3 Not tainted 4.14.115 #5
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Workqueue: pencrypt padata_parallel_worker
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x138/0x19c lib/dump_stack.c:53
print_address_description.cold+0x7c/0x1dc mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report mm/kasan/report.c:409 [inline]
kasan_report.cold+0x11e/0x2db mm/kasan/report.c:393
__asan_report_store8_noabort+0x17/0x20 mm/kasan/report.c:435
list_replace include/linux/list.h:141 [inline]
list_replace_init include/linux/list.h:149 [inline]
padata_parallel_worker+0x328/0x3c0 kernel/padata.c:74
process_one_work+0x868/0x1610 kernel/workqueue.c:2114
worker_thread+0x5d9/0x1050 kernel/workqueue.c:2248
kthread+0x31c/0x430 kernel/kthread.c:232
ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:402
Allocated by task 23535:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
save_stack+0x45/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc mm/kasan/kasan.c:551 [inline]
kasan_kmalloc+0xce/0xf0 mm/kasan/kasan.c:529
__do_kmalloc mm/slab.c:3720 [inline]
__kmalloc+0x15d/0x7a0 mm/slab.c:3729
kmalloc include/linux/slab.h:493 [inline]
kzalloc include/linux/slab.h:661 [inline]
tls_push_record+0x10a/0x1210 net/tls/tls_sw.c:250
tls_sw_sendmsg+0x9ea/0x1020 net/tls/tls_sw.c:457
inet_sendmsg+0x128/0x500 net/ipv4/af_inet.c:762
sock_sendmsg_nosec net/socket.c:646 [inline]
sock_sendmsg+0xd0/0x110 net/socket.c:656
___sys_sendmsg+0x70c/0x850 net/socket.c:2062
__sys_sendmsg+0xb9/0x140 net/socket.c:2096
SYSC_sendmsg net/socket.c:2107 [inline]
SyS_sendmsg+0x2d/0x50 net/socket.c:2103
do_syscall_64+0x1eb/0x630 arch/x86/entry/common.c:289
entry_SYSCALL_64_after_hwframe+0x42/0xb7
Freed by task 23535:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
save_stack+0x45/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0x75/0xc0 mm/kasan/kasan.c:524
__cache_free mm/slab.c:3496 [inline]
kfree+0xcc/0x270 mm/slab.c:3815
tls_push_record+0xc08/0x1210 net/tls/tls_sw.c:293
tls_sw_sendmsg+0x9ea/0x1020 net/tls/tls_sw.c:457
inet_sendmsg+0x128/0x500 net/ipv4/af_inet.c:762
sock_sendmsg_nosec net/socket.c:646 [inline]
sock_sendmsg+0xd0/0x110 net/socket.c:656
___sys_sendmsg+0x70c/0x850 net/socket.c:2062
__sys_sendmsg+0xb9/0x140 net/socket.c:2096
SYSC_sendmsg net/socket.c:2107 [inline]
SyS_sendmsg+0x2d/0x50 net/socket.c:2103
do_syscall_64+0x1eb/0x630 arch/x86/entry/common.c:289
entry_SYSCALL_64_after_hwframe+0x42/0xb7
The buggy address belongs to the object at ffff8880684a4840
which belongs to the cache kmalloc-256 of size 256
The buggy address is located 88 bytes inside of
256-byte region [ffff8880684a4840, ffff8880684a4940)
The buggy address belongs to the page:
page:ffffea0001a12900 count:1 mapcount:0 mapping:ffff8880684a40c0
index:0xffff8880684a4ac0
flags: 0x1fffc0000000100(slab)
raw: 01fffc0000000100 ffff8880684a40c0 ffff8880684a4ac0 000000010000000b
raw: ffffea0002978ea0 ffffea00022b2960 ffff8880aa8007c0 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8880684a4780: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc
ffff8880684a4800: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
> ffff8880684a4880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8880684a4900: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
ffff8880684a4980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Sep 23, 2019, 2:16:10 PM9/23/19
to syzkaller...@googlegroups.com
syzbot has found a reproducer for the following crash on:
HEAD commit: f6e27dbb Linux 4.14.146
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=105c08bd600000
kernel config: https://syzkaller.appspot.com/x/.config?x=cb75afefe94a0801
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=155bfef9600000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+51df2d...@syzkaller.appspotmail.com
audit: type=1400 audit(1569262336.964:36): avc: denied { map } for
pid=6856 comm="syz-executor351" path="/root/syz-executor351349758"
dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending
cookies. Check SNMP counters.
kernel/padata.c:74
Write of size 8 at addr ffff888089d697d8 by task kworker/0:2/3150
CPU: 0 PID: 3150 Comm: kworker/0:2 Not tainted 4.14.146 #0
process_one_work+0x863/0x1600 kernel/workqueue.c:2114
worker_thread+0x5d9/0x1050 kernel/workqueue.c:2248
kthread+0x319/0x430 kernel/kthread.c:232
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404
Allocated by task 6856:
inet_sendmsg+0x122/0x500 net/ipv4/af_inet.c:762
sock_sendmsg_nosec net/socket.c:646 [inline]
sock_sendmsg+0xce/0x110 net/socket.c:656
SYSC_sendto+0x206/0x310 net/socket.c:1763
SyS_sendto+0x40/0x50 net/socket.c:1731
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
Freed by task 6856:
tls_sw_sendmsg+0x9e8/0x1020 net/tls/tls_sw.c:457
inet_sendmsg+0x122/0x500 net/ipv4/af_inet.c:762
sock_sendmsg_nosec net/socket.c:646 [inline]
sock_sendmsg+0xce/0x110 net/socket.c:656
SYSC_sendto+0x206/0x310 net/socket.c:1763
SyS_sendto+0x40/0x50 net/socket.c:1731
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
The buggy address belongs to the object at ffff888089d69780
index:0xffff888089d69dc0
flags: 0x1fffc0000000100(slab)
raw: 01fffc0000000100 ffff888089d69000 ffff888089d69dc0 0000000100000008
raw: ffffea0002212c20 ffffea0002291160 ffff8880aa8007c0 0000000000000000
ffff888089d69700: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
> ffff888089d69780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888089d69800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888089d69880: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
==================================================================
HEAD commit: f6e27dbb Linux 4.14.146
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=105c08bd600000
kernel config: https://syzkaller.appspot.com/x/.config?x=cb75afefe94a0801
dashboard link: https://syzkaller.appspot.com/bug?extid=51df2d83e8ab39e40323
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=171ad0bd600000
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=155bfef9600000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+51df2d...@syzkaller.appspotmail.com
pid=6856 comm="syz-executor351" path="/root/syz-executor351349758"
dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending
cookies. Check SNMP counters.
==================================================================
BUG: KASAN: use-after-free in list_replace include/linux/list.h:141 [inline]
BUG: KASAN: use-after-free in list_replace_init include/linux/list.h:149
[inline]
BUG: KASAN: use-after-free in padata_parallel_worker+0x313/0x3b0
BUG: KASAN: use-after-free in list_replace include/linux/list.h:141 [inline]
BUG: KASAN: use-after-free in list_replace_init include/linux/list.h:149
[inline]
kernel/padata.c:74
Write of size 8 at addr ffff888089d697d8 by task kworker/0:2/3150
CPU: 0 PID: 3150 Comm: kworker/0:2 Not tainted 4.14.146 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Workqueue: pencrypt padata_parallel_worker
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x138/0x197 lib/dump_stack.c:53
Google 01/01/2011
Workqueue: pencrypt padata_parallel_worker
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
print_address_description.cold+0x7c/0x1dc mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report mm/kasan/report.c:409 [inline]
kasan_report.cold+0xa9/0x2af mm/kasan/report.c:393
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report mm/kasan/report.c:409 [inline]
__asan_report_store8_noabort+0x17/0x20 mm/kasan/report.c:435
list_replace include/linux/list.h:141 [inline]
list_replace_init include/linux/list.h:149 [inline]
padata_parallel_worker+0x313/0x3b0 kernel/padata.c:74
list_replace include/linux/list.h:141 [inline]
list_replace_init include/linux/list.h:149 [inline]
process_one_work+0x863/0x1600 kernel/workqueue.c:2114
worker_thread+0x5d9/0x1050 kernel/workqueue.c:2248
kthread+0x319/0x430 kernel/kthread.c:232
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404
Allocated by task 6856:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
save_stack+0x45/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc mm/kasan/kasan.c:551 [inline]
kasan_kmalloc+0xce/0xf0 mm/kasan/kasan.c:529
__do_kmalloc mm/slab.c:3720 [inline]
__kmalloc+0x15d/0x7a0 mm/slab.c:3729
kmalloc include/linux/slab.h:493 [inline]
kzalloc include/linux/slab.h:661 [inline]
tls_push_record+0x10a/0x1210 net/tls/tls_sw.c:250
tls_sw_sendmsg+0x9e8/0x1020 net/tls/tls_sw.c:457
save_stack+0x45/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc mm/kasan/kasan.c:551 [inline]
kasan_kmalloc+0xce/0xf0 mm/kasan/kasan.c:529
__do_kmalloc mm/slab.c:3720 [inline]
__kmalloc+0x15d/0x7a0 mm/slab.c:3729
kmalloc include/linux/slab.h:493 [inline]
kzalloc include/linux/slab.h:661 [inline]
tls_push_record+0x10a/0x1210 net/tls/tls_sw.c:250
inet_sendmsg+0x122/0x500 net/ipv4/af_inet.c:762
sock_sendmsg_nosec net/socket.c:646 [inline]
sock_sendmsg+0xce/0x110 net/socket.c:656
SYSC_sendto+0x206/0x310 net/socket.c:1763
SyS_sendto+0x40/0x50 net/socket.c:1731
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
Freed by task 6856:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
save_stack+0x45/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0x75/0xc0 mm/kasan/kasan.c:524
__cache_free mm/slab.c:3496 [inline]
kfree+0xcc/0x270 mm/slab.c:3815
tls_push_record+0xc03/0x1210 net/tls/tls_sw.c:293
save_stack+0x45/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0x75/0xc0 mm/kasan/kasan.c:524
__cache_free mm/slab.c:3496 [inline]
kfree+0xcc/0x270 mm/slab.c:3815
tls_sw_sendmsg+0x9e8/0x1020 net/tls/tls_sw.c:457
inet_sendmsg+0x122/0x500 net/ipv4/af_inet.c:762
sock_sendmsg_nosec net/socket.c:646 [inline]
sock_sendmsg+0xce/0x110 net/socket.c:656
SYSC_sendto+0x206/0x310 net/socket.c:1763
SyS_sendto+0x40/0x50 net/socket.c:1731
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
The buggy address belongs to the object at ffff888089d69780
which belongs to the cache kmalloc-256 of size 256
The buggy address is located 88 bytes inside of
256-byte region [ffff888089d69780, ffff888089d69880)
The buggy address is located 88 bytes inside of
The buggy address belongs to the page:
page:ffffea0002275a40 count:1 mapcount:0 mapping:ffff888089d69000
index:0xffff888089d69dc0
flags: 0x1fffc0000000100(slab)
raw: 01fffc0000000100 ffff888089d69000 ffff888089d69dc0 0000000100000008
raw: ffffea0002212c20 ffffea0002291160 ffff8880aa8007c0 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff888089d69680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
Memory state around the buggy address:
ffff888089d69700: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
> ffff888089d69780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888089d69800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888089d69880: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
==================================================================
Reply all
Reply to author
Forward
0 new messages