KASAN: use-after-free Read in nfc_llcp_sock_unlink
18 views
Skip to first unread message
syzbot
Apr 14, 2021, 3:15:17 AM4/14/21
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 0f1b4cb7 Linux 4.19.187
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=14b9c5fcd00000
kernel config: https://syzkaller.appspot.com/x/.config?x=7160c73ac3937bfe
dashboard link: https://syzkaller.appspot.com/bug?extid=174a4f09354b9dacb1bd
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+174a4f...@syzkaller.appspotmail.com
overlayfs: './file0' not a directory
overlayfs: missing 'lowerdir'
overlayfs: failed to resolve './file1': -2
EXT4-fs (loop4): mounted filesystem without journal. Opts: ,errors=continue
==================================================================
BUG: KASAN: use-after-free in __lock_acquire+0x2cb4/0x3ff0 kernel/locking/lockdep.c:3294
Read of size 8 at addr ffff8880ae23cf10 by task syz-executor.1/16227
CPU: 0 PID: 16227 Comm: syz-executor.1 Not tainted 4.19.187-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1fc/0x2ef lib/dump_stack.c:118
print_address_description.cold+0x54/0x219 mm/kasan/report.c:256
kasan_report_error.cold+0x8a/0x1b9 mm/kasan/report.c:354
kasan_report mm/kasan/report.c:412 [inline]
__asan_report_load8_noabort+0x88/0x90 mm/kasan/report.c:433
__lock_acquire+0x2cb4/0x3ff0 kernel/locking/lockdep.c:3294
lock_acquire+0x170/0x3c0 kernel/locking/lockdep.c:3907
__raw_write_lock include/linux/rwlock_api_smp.h:210 [inline]
_raw_write_lock+0x2a/0x40 kernel/locking/spinlock.c:288
nfc_llcp_sock_unlink+0x1d/0x190 net/nfc/llcp_core.c:44
llcp_sock_release+0x286/0x520 net/nfc/llcp_sock.c:652
__sock_release+0xcd/0x2a0 net/socket.c:579
sock_close+0x15/0x20 net/socket.c:1140
__fput+0x2ce/0x890 fs/file_table.c:278
task_work_run+0x148/0x1c0 kernel/task_work.c:113
get_signal+0x1b64/0x1f70 kernel/signal.c:2400
do_signal+0x8f/0x1670 arch/x86/kernel/signal.c:799
exit_to_usermode_loop+0x204/0x2a0 arch/x86/entry/common.c:163
prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline]
syscall_return_slowpath arch/x86/entry/common.c:271 [inline]
do_syscall_64+0x538/0x620 arch/x86/entry/common.c:296
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x466459
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007faca8ad4188 EFLAGS: 00000246 ORIG_RAX: 0000000000000120
RAX: fffffffffffffe00 RBX: 000000000056bf60 RCX: 0000000000466459
RDX: 00000000200000c0 RSI: 0000000020000040 RDI: 0000000000000005
RBP: 00000000004bf9fb R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000080800 R11: 0000000000000246 R12: 000000000056bf60
R13: 00007ffe7e22cc1f R14: 00007faca8ad4300 R15: 0000000000022000
Allocated by task 1:
kmem_cache_alloc_trace+0x12f/0x380 mm/slab.c:3625
kmalloc include/linux/slab.h:515 [inline]
kzalloc include/linux/slab.h:709 [inline]
nfc_llcp_register_device+0x45/0x9b0 net/nfc/llcp_core.c:1584
nfc_register_device+0x6d/0x360 net/nfc/core.c:1129
nfcsim_device_new+0x333/0x5af drivers/nfc/nfcsim.c:417
nfcsim_init+0x71/0x14d drivers/nfc/nfcsim.c:464
do_one_initcall+0xf1/0x740 init/main.c:884
do_initcall_level init/main.c:952 [inline]
do_initcalls init/main.c:960 [inline]
do_basic_setup init/main.c:978 [inline]
kernel_init_freeable+0x9a6/0xa98 init/main.c:1145
kernel_init+0xd/0x1b6 init/main.c:1062
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415
Freed by task 16249:
__cache_free mm/slab.c:3503 [inline]
kfree+0xcc/0x210 mm/slab.c:3822
local_release net/nfc/llcp_core.c:187 [inline]
kref_put include/linux/kref.h:70 [inline]
nfc_llcp_local_put+0x155/0x1b0 net/nfc/llcp_core.c:195
llcp_sock_destruct+0x7b/0x140 net/nfc/llcp_sock.c:959
__sk_destruct+0x4b/0x8a0 net/core/sock.c:1559
sk_destruct net/core/sock.c:1599 [inline]
__sk_free+0x165/0x3b0 net/core/sock.c:1610
sk_free+0x3b/0x50 net/core/sock.c:1621
sock_put include/net/sock.h:1711 [inline]
llcp_sock_release+0x37a/0x520 net/nfc/llcp_sock.c:656
__sock_release+0xcd/0x2a0 net/socket.c:579
sock_close+0x15/0x20 net/socket.c:1140
__fput+0x2ce/0x890 fs/file_table.c:278
task_work_run+0x148/0x1c0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:193 [inline]
exit_to_usermode_loop+0x251/0x2a0 arch/x86/entry/common.c:167
prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline]
syscall_return_slowpath arch/x86/entry/common.c:271 [inline]
do_syscall_64+0x538/0x620 arch/x86/entry/common.c:296
entry_SYSCALL_64_after_hwframe+0x49/0xbe
The buggy address belongs to the object at ffff8880ae23cb00
which belongs to the cache kmalloc-2048 of size 2048
The buggy address is located 1040 bytes inside of
2048-byte region [ffff8880ae23cb00, ffff8880ae23d300)
The buggy address belongs to the page:
page:ffffea0002b88f00 count:1 mapcount:0 mapping:ffff88813bff0c40 index:0x0 compound_mapcount: 0
flags: 0xfff00000008100(slab|head)
raw: 00fff00000008100 ffffea0002b86208 ffffea0002b0cb08 ffff88813bff0c40
raw: 0000000000000000 ffff8880ae23c280 0000000100000003 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8880ae23ce00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880ae23ce80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8880ae23cf00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8880ae23cf80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880ae23d000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following issue on:
HEAD commit: 0f1b4cb7 Linux 4.19.187
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=14b9c5fcd00000
kernel config: https://syzkaller.appspot.com/x/.config?x=7160c73ac3937bfe
dashboard link: https://syzkaller.appspot.com/bug?extid=174a4f09354b9dacb1bd
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+174a4f...@syzkaller.appspotmail.com
overlayfs: './file0' not a directory
overlayfs: missing 'lowerdir'
overlayfs: failed to resolve './file1': -2
EXT4-fs (loop4): mounted filesystem without journal. Opts: ,errors=continue
==================================================================
BUG: KASAN: use-after-free in __lock_acquire+0x2cb4/0x3ff0 kernel/locking/lockdep.c:3294
Read of size 8 at addr ffff8880ae23cf10 by task syz-executor.1/16227
CPU: 0 PID: 16227 Comm: syz-executor.1 Not tainted 4.19.187-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1fc/0x2ef lib/dump_stack.c:118
print_address_description.cold+0x54/0x219 mm/kasan/report.c:256
kasan_report_error.cold+0x8a/0x1b9 mm/kasan/report.c:354
kasan_report mm/kasan/report.c:412 [inline]
__asan_report_load8_noabort+0x88/0x90 mm/kasan/report.c:433
__lock_acquire+0x2cb4/0x3ff0 kernel/locking/lockdep.c:3294
lock_acquire+0x170/0x3c0 kernel/locking/lockdep.c:3907
__raw_write_lock include/linux/rwlock_api_smp.h:210 [inline]
_raw_write_lock+0x2a/0x40 kernel/locking/spinlock.c:288
nfc_llcp_sock_unlink+0x1d/0x190 net/nfc/llcp_core.c:44
llcp_sock_release+0x286/0x520 net/nfc/llcp_sock.c:652
__sock_release+0xcd/0x2a0 net/socket.c:579
sock_close+0x15/0x20 net/socket.c:1140
__fput+0x2ce/0x890 fs/file_table.c:278
task_work_run+0x148/0x1c0 kernel/task_work.c:113
get_signal+0x1b64/0x1f70 kernel/signal.c:2400
do_signal+0x8f/0x1670 arch/x86/kernel/signal.c:799
exit_to_usermode_loop+0x204/0x2a0 arch/x86/entry/common.c:163
prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline]
syscall_return_slowpath arch/x86/entry/common.c:271 [inline]
do_syscall_64+0x538/0x620 arch/x86/entry/common.c:296
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x466459
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007faca8ad4188 EFLAGS: 00000246 ORIG_RAX: 0000000000000120
RAX: fffffffffffffe00 RBX: 000000000056bf60 RCX: 0000000000466459
RDX: 00000000200000c0 RSI: 0000000020000040 RDI: 0000000000000005
RBP: 00000000004bf9fb R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000080800 R11: 0000000000000246 R12: 000000000056bf60
R13: 00007ffe7e22cc1f R14: 00007faca8ad4300 R15: 0000000000022000
Allocated by task 1:
kmem_cache_alloc_trace+0x12f/0x380 mm/slab.c:3625
kmalloc include/linux/slab.h:515 [inline]
kzalloc include/linux/slab.h:709 [inline]
nfc_llcp_register_device+0x45/0x9b0 net/nfc/llcp_core.c:1584
nfc_register_device+0x6d/0x360 net/nfc/core.c:1129
nfcsim_device_new+0x333/0x5af drivers/nfc/nfcsim.c:417
nfcsim_init+0x71/0x14d drivers/nfc/nfcsim.c:464
do_one_initcall+0xf1/0x740 init/main.c:884
do_initcall_level init/main.c:952 [inline]
do_initcalls init/main.c:960 [inline]
do_basic_setup init/main.c:978 [inline]
kernel_init_freeable+0x9a6/0xa98 init/main.c:1145
kernel_init+0xd/0x1b6 init/main.c:1062
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415
Freed by task 16249:
__cache_free mm/slab.c:3503 [inline]
kfree+0xcc/0x210 mm/slab.c:3822
local_release net/nfc/llcp_core.c:187 [inline]
kref_put include/linux/kref.h:70 [inline]
nfc_llcp_local_put+0x155/0x1b0 net/nfc/llcp_core.c:195
llcp_sock_destruct+0x7b/0x140 net/nfc/llcp_sock.c:959
__sk_destruct+0x4b/0x8a0 net/core/sock.c:1559
sk_destruct net/core/sock.c:1599 [inline]
__sk_free+0x165/0x3b0 net/core/sock.c:1610
sk_free+0x3b/0x50 net/core/sock.c:1621
sock_put include/net/sock.h:1711 [inline]
llcp_sock_release+0x37a/0x520 net/nfc/llcp_sock.c:656
__sock_release+0xcd/0x2a0 net/socket.c:579
sock_close+0x15/0x20 net/socket.c:1140
__fput+0x2ce/0x890 fs/file_table.c:278
task_work_run+0x148/0x1c0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:193 [inline]
exit_to_usermode_loop+0x251/0x2a0 arch/x86/entry/common.c:167
prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline]
syscall_return_slowpath arch/x86/entry/common.c:271 [inline]
do_syscall_64+0x538/0x620 arch/x86/entry/common.c:296
entry_SYSCALL_64_after_hwframe+0x49/0xbe
The buggy address belongs to the object at ffff8880ae23cb00
which belongs to the cache kmalloc-2048 of size 2048
The buggy address is located 1040 bytes inside of
2048-byte region [ffff8880ae23cb00, ffff8880ae23d300)
The buggy address belongs to the page:
page:ffffea0002b88f00 count:1 mapcount:0 mapping:ffff88813bff0c40 index:0x0 compound_mapcount: 0
flags: 0xfff00000008100(slab|head)
raw: 00fff00000008100 ffffea0002b86208 ffffea0002b0cb08 ffff88813bff0c40
raw: 0000000000000000 ffff8880ae23c280 0000000100000003 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8880ae23ce00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880ae23ce80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8880ae23cf00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8880ae23cf80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880ae23d000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Apr 17, 2021, 12:59:18 PM4/17/21
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: cf256fbc Linux 4.14.231
syzbot found the following issue on:
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=15c421fed00000
kernel config: https://syzkaller.appspot.com/x/.config?x=403e68efdb1dcca6
dashboard link: https://syzkaller.appspot.com/bug?extid=e957c786fee9905cefc7
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
netlink: 24 bytes leftover after parsing attributes in process `syz-executor.2'.
netlink: 24 bytes leftover after parsing attributes in process `syz-executor.2'.
netlink: 6 bytes leftover after parsing attributes in process `syz-executor.2'.
FAT-fs (loop3): Invalid FSINFO signature: 0x00000000, 0x00000000 (sector = 1)
==================================================================
BUG: KASAN: use-after-free in __lock_acquire+0x2c57/0x3f20 kernel/locking/lockdep.c:3369
Read of size 8 at addr ffff8880ae6c25a0 by task syz-executor.2/9484
CPU: 1 PID: 9484 Comm: syz-executor.2 Not tainted 4.14.231-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
Call Trace:
dump_stack+0x1b2/0x281 lib/dump_stack.c:58
print_address_description.cold+0x54/0x1d3 mm/kasan/report.c:252
kasan_report_error.cold+0x8a/0x191 mm/kasan/report.c:351
kasan_report mm/kasan/report.c:409 [inline]
__asan_report_load8_noabort+0x68/0x70 mm/kasan/report.c:430
__lock_acquire+0x2c57/0x3f20 kernel/locking/lockdep.c:3369
lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998
__raw_write_lock include/linux/rwlock_api_smp.h:210 [inline]
_raw_write_lock+0x2a/0x40 kernel/locking/spinlock.c:296
nfc_llcp_sock_unlink+0x1d/0x170 net/nfc/llcp_core.c:44
llcp_sock_release+0x235/0x4c0 net/nfc/llcp_sock.c:653
__sock_release+0xcd/0x2b0 net/socket.c:602
sock_close+0x15/0x20 net/socket.c:1139
__fput+0x25f/0x7a0 fs/file_table.c:210
task_work_run+0x11f/0x190 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:191 [inline]
exit_to_usermode_loop+0x1ad/0x200 arch/x86/entry/common.c:164
prepare_exit_to_usermode arch/x86/entry/common.c:199 [inline]
syscall_return_slowpath arch/x86/entry/common.c:270 [inline]
do_syscall_64+0x4a3/0x640 arch/x86/entry/common.c:297
entry_SYSCALL_64_after_hwframe+0x46/0xbb
RIP: 0033:0x41926b
RSP: 002b:00007fff2915ad60 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 000000000000000a RCX: 000000000041926b
RDX: ffffffffffffffbc RSI: 00000000089075c3 RDI: 0000000000000009
RBP: 0000000000000001 R08: 0000000000000000 R09: 0000001b2df23be8
R10: 00007fff2915ae50 R11: 0000000000000293 R12: 000000000002a137
R13: 00000000000003e8 R14: 000000000056bf60 R15: 000000000002a0de
Allocated by task 1:
save_stack mm/kasan/kasan.c:447 [inline]
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc+0xeb/0x160 mm/kasan/kasan.c:551
kmem_cache_alloc_trace+0x131/0x3d0 mm/slab.c:3618
kmalloc include/linux/slab.h:488 [inline]
kzalloc include/linux/slab.h:661 [inline]
nfc_llcp_register_device+0x43/0xa50 net/nfc/llcp_core.c:1584
nfc_register_device+0x63/0x330 net/nfc/core.c:1132
nfcsim_device_new+0x372/0x5c2 drivers/nfc/nfcsim.c:417
nfcsim_init+0x71/0x12a drivers/nfc/nfcsim.c:464
do_one_initcall+0x88/0x210 init/main.c:826
do_initcall_level init/main.c:892 [inline]
do_initcalls init/main.c:900 [inline]
do_basic_setup init/main.c:918 [inline]
kernel_init_freeable+0x553/0x614 init/main.c:1075
kernel_init+0xd/0x164 init/main.c:1000
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404
Freed by task 9483:
save_stack mm/kasan/kasan.c:447 [inline]
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0xc3/0x1a0 mm/kasan/kasan.c:524
__cache_free mm/slab.c:3496 [inline]
kfree+0xc9/0x250 mm/slab.c:3815
local_release net/nfc/llcp_core.c:187 [inline]
kref_put include/linux/kref.h:70 [inline]
nfc_llcp_local_put+0x13c/0x190 net/nfc/llcp_core.c:195
kref_put include/linux/kref.h:70 [inline]
llcp_sock_destruct+0x69/0x120 net/nfc/llcp_sock.c:960
__sk_destruct+0x49/0x760 net/core/sock.c:1557
sk_destruct net/core/sock.c:1597 [inline]
__sk_free+0xd9/0x2d0 net/core/sock.c:1605
sk_free+0x2b/0x40 net/core/sock.c:1616
sock_put include/net/sock.h:1662 [inline]
llcp_sock_release+0x31b/0x4c0 net/nfc/llcp_sock.c:657
__sock_release+0xcd/0x2b0 net/socket.c:602
sock_close+0x15/0x20 net/socket.c:1139
__fput+0x25f/0x7a0 fs/file_table.c:210
task_work_run+0x11f/0x190 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:191 [inline]
exit_to_usermode_loop+0x1ad/0x200 arch/x86/entry/common.c:164
prepare_exit_to_usermode arch/x86/entry/common.c:199 [inline]
syscall_return_slowpath arch/x86/entry/common.c:270 [inline]
do_syscall_64+0x4a3/0x640 arch/x86/entry/common.c:297
entry_SYSCALL_64_after_hwframe+0x46/0xbb
The buggy address belongs to the object at ffff8880ae6c2180
which belongs to the cache kmalloc-2048 of size 2048
The buggy address is located 1056 bytes inside of
2048-byte region [ffff8880ae6c2180, ffff8880ae6c2980)
The buggy address belongs to the page:
page:ffffea0002b9b080 count:1 mapcount:0 mapping:ffff8880ae6c2180 index:0x0 compound_mapcount: 0
flags: 0xfff00000008100(slab|head)
raw: 00fff00000008100 ffff8880ae6c2180 0000000000000000 0000000100000003
raw: ffffea0002b9ab20 ffffea0002b9c820 ffff88813fe80c40 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8880ae6c2480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
Memory state around the buggy address:
ffff8880ae6c2500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8880ae6c2580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8880ae6c2600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880ae6c2680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
syzbot
Apr 17, 2021, 7:54:19 PM4/17/21
to syzkaller...@googlegroups.com
syzbot has found a reproducer for the following issue on:
HEAD commit: cf256fbc Linux 4.14.231
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=14ae0aeed00000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+e957c7...@syzkaller.appspotmail.com
device veth1_vlan entered promiscuous mode
IPv6: ADDRCONF(NETDEV_UP): macvlan0: link is not ready
hrtimer: interrupt took 26903 ns
device veth0_macvtap entered promiscuous mode
CPU: 1 PID: 9349 Comm: syz-executor.0 Not tainted 4.14.231-syzkaller #0
__lock_acquire+0x2c57/0x3f20 kernel/locking/lockdep.c:3369
IPv6: ADDRCONF(NETDEV_UP): macvtap0: link is not ready
device veth1_macvtap entered promiscuous mode
IPv6: ADDRCONF(NETDEV_UP): macsec0: link is not ready
lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998
IPv6: ADDRCONF(NETDEV_UP): veth0_to_batadv: link is not ready
RSP: 002b:00007ffeed971580 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000008 RCX: 000000000041926b
RDX: 0000000000571768 RSI: 0000000000000001 RDI: 0000000000000007
RBP: 0000000000000001 R08: 0000000000000000 R09: 0000001b2ef20214
R10: 00007ffeed971670 R11: 0000000000000293 R12: 0000000000183a22
R13: 00000000000003e8 R14: 000000000056bf60 R15: 00000000001839f3
Allocated by task 1:
save_stack mm/kasan/kasan.c:447 [inline]
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc+0xeb/0x160 mm/kasan/kasan.c:551
kmem_cache_alloc_trace+0x131/0x3d0 mm/slab.c:3618
batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3d) already exists on: batadv_slave_0
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404
Freed by task 9350:
The buggy address belongs to the object at ffff8880ae612080
flags: 0xfff00000008100(slab|head)
IPv6: ADDRCONF(NETDEV_UP): batadv_slave_0: link is not ready
raw: 00fff00000008100 ffff8880ae612080 0000000000000000 0000000100000003
raw: ffffea0002b96ea0 ffffea0002b99da0 ffff88813fe80c40 0000000000000000
ffff8880ae612400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8880ae612480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8880ae612500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880ae612580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
batman_adv: batadv0: Interface activated: batadv_slave_0
HEAD commit: cf256fbc Linux 4.14.231
git tree: linux-4.14.y
kernel config: https://syzkaller.appspot.com/x/.config?x=403e68efdb1dcca6
dashboard link: https://syzkaller.appspot.com/bug?extid=e957c786fee9905cefc7
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14a55f65d00000
dashboard link: https://syzkaller.appspot.com/bug?extid=e957c786fee9905cefc7
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+e957c7...@syzkaller.appspotmail.com
IPv6: ADDRCONF(NETDEV_UP): macvlan0: link is not ready
hrtimer: interrupt took 26903 ns
device veth0_macvtap entered promiscuous mode
==================================================================
BUG: KASAN: use-after-free in __lock_acquire+0x2c57/0x3f20 kernel/locking/lockdep.c:3369
Read of size 8 at addr ffff8880ae6124a0 by task syz-executor.0/9349
BUG: KASAN: use-after-free in __lock_acquire+0x2c57/0x3f20 kernel/locking/lockdep.c:3369
CPU: 1 PID: 9349 Comm: syz-executor.0 Not tainted 4.14.231-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
IPv6: ADDRCONF(NETDEV_UP): macvtap0: link is not ready
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x1b2/0x281 lib/dump_stack.c:58
print_address_description.cold+0x54/0x1d3 mm/kasan/report.c:252
kasan_report_error.cold+0x8a/0x191 mm/kasan/report.c:351
kasan_report mm/kasan/report.c:409 [inline]
__asan_report_load8_noabort+0x68/0x70 mm/kasan/report.c:430
device veth0_macvtap entered promiscuous mode
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x1b2/0x281 lib/dump_stack.c:58
print_address_description.cold+0x54/0x1d3 mm/kasan/report.c:252
kasan_report_error.cold+0x8a/0x191 mm/kasan/report.c:351
kasan_report mm/kasan/report.c:409 [inline]
__asan_report_load8_noabort+0x68/0x70 mm/kasan/report.c:430
__lock_acquire+0x2c57/0x3f20 kernel/locking/lockdep.c:3369
IPv6: ADDRCONF(NETDEV_UP): macvtap0: link is not ready
device veth1_macvtap entered promiscuous mode
IPv6: ADDRCONF(NETDEV_UP): macsec0: link is not ready
lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998
IPv6: ADDRCONF(NETDEV_UP): veth0_to_batadv: link is not ready
__raw_write_lock include/linux/rwlock_api_smp.h:210 [inline]
_raw_write_lock+0x2a/0x40 kernel/locking/spinlock.c:296
nfc_llcp_sock_unlink+0x1d/0x170 net/nfc/llcp_core.c:44
IPv6: ADDRCONF(NETDEV_UP): veth1_to_batadv: link is not ready
_raw_write_lock+0x2a/0x40 kernel/locking/spinlock.c:296
nfc_llcp_sock_unlink+0x1d/0x170 net/nfc/llcp_core.c:44
llcp_sock_release+0x235/0x4c0 net/nfc/llcp_sock.c:653
__sock_release+0xcd/0x2b0 net/socket.c:602
batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3d) already exists on: batadv_slave_0
__sock_release+0xcd/0x2b0 net/socket.c:602
sock_close+0x15/0x20 net/socket.c:1139
__fput+0x25f/0x7a0 fs/file_table.c:210
task_work_run+0x11f/0x190 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:191 [inline]
exit_to_usermode_loop+0x1ad/0x200 arch/x86/entry/common.c:164
prepare_exit_to_usermode arch/x86/entry/common.c:199 [inline]
syscall_return_slowpath arch/x86/entry/common.c:270 [inline]
do_syscall_64+0x4a3/0x640 arch/x86/entry/common.c:297
entry_SYSCALL_64_after_hwframe+0x46/0xbb
RIP: 0033:0x41926b
batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems!
__fput+0x25f/0x7a0 fs/file_table.c:210
task_work_run+0x11f/0x190 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:191 [inline]
exit_to_usermode_loop+0x1ad/0x200 arch/x86/entry/common.c:164
prepare_exit_to_usermode arch/x86/entry/common.c:199 [inline]
syscall_return_slowpath arch/x86/entry/common.c:270 [inline]
do_syscall_64+0x4a3/0x640 arch/x86/entry/common.c:297
entry_SYSCALL_64_after_hwframe+0x46/0xbb
RIP: 0033:0x41926b
RSP: 002b:00007ffeed971580 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000008 RCX: 000000000041926b
RDX: 0000000000571768 RSI: 0000000000000001 RDI: 0000000000000007
RBP: 0000000000000001 R08: 0000000000000000 R09: 0000001b2ef20214
R10: 00007ffeed971670 R11: 0000000000000293 R12: 0000000000183a22
R13: 00000000000003e8 R14: 000000000056bf60 R15: 00000000001839f3
Allocated by task 1:
save_stack mm/kasan/kasan.c:447 [inline]
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc+0xeb/0x160 mm/kasan/kasan.c:551
kmem_cache_alloc_trace+0x131/0x3d0 mm/slab.c:3618
kmalloc include/linux/slab.h:488 [inline]
kzalloc include/linux/slab.h:661 [inline]
nfc_llcp_register_device+0x43/0xa50 net/nfc/llcp_core.c:1584
nfc_register_device+0x63/0x330 net/nfc/core.c:1132
nfcsim_device_new+0x372/0x5c2 drivers/nfc/nfcsim.c:417
nfcsim_init+0x71/0x12a drivers/nfc/nfcsim.c:464
do_one_initcall+0x88/0x210 init/main.c:826
do_initcall_level init/main.c:892 [inline]
do_initcalls init/main.c:900 [inline]
do_basic_setup init/main.c:918 [inline]
kernel_init_freeable+0x553/0x614 init/main.c:1075
kernel_init+0xd/0x164 init/main.c:1000
batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems!
kzalloc include/linux/slab.h:661 [inline]
nfc_llcp_register_device+0x43/0xa50 net/nfc/llcp_core.c:1584
nfc_register_device+0x63/0x330 net/nfc/core.c:1132
nfcsim_device_new+0x372/0x5c2 drivers/nfc/nfcsim.c:417
nfcsim_init+0x71/0x12a drivers/nfc/nfcsim.c:464
do_one_initcall+0x88/0x210 init/main.c:826
do_initcall_level init/main.c:892 [inline]
do_initcalls init/main.c:900 [inline]
do_basic_setup init/main.c:918 [inline]
kernel_init_freeable+0x553/0x614 init/main.c:1075
kernel_init+0xd/0x164 init/main.c:1000
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404
Freed by task 9350:
save_stack mm/kasan/kasan.c:447 [inline]
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0xc3/0x1a0 mm/kasan/kasan.c:524
__cache_free mm/slab.c:3496 [inline]
kfree+0xc9/0x250 mm/slab.c:3815
local_release net/nfc/llcp_core.c:187 [inline]
kref_put include/linux/kref.h:70 [inline]
nfc_llcp_local_put+0x13c/0x190 net/nfc/llcp_core.c:195
llcp_sock_destruct+0x69/0x120 net/nfc/llcp_sock.c:960
__sk_destruct+0x49/0x760 net/core/sock.c:1557
sk_destruct net/core/sock.c:1597 [inline]
__sk_free+0xd9/0x2d0 net/core/sock.c:1605
batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3d) already exists on: batadv_slave_0
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0xc3/0x1a0 mm/kasan/kasan.c:524
__cache_free mm/slab.c:3496 [inline]
kfree+0xc9/0x250 mm/slab.c:3815
local_release net/nfc/llcp_core.c:187 [inline]
kref_put include/linux/kref.h:70 [inline]
nfc_llcp_local_put+0x13c/0x190 net/nfc/llcp_core.c:195
llcp_sock_destruct+0x69/0x120 net/nfc/llcp_sock.c:960
__sk_destruct+0x49/0x760 net/core/sock.c:1557
sk_destruct net/core/sock.c:1597 [inline]
__sk_free+0xd9/0x2d0 net/core/sock.c:1605
sk_free+0x2b/0x40 net/core/sock.c:1616
sock_put include/net/sock.h:1662 [inline]
llcp_sock_release+0x31b/0x4c0 net/nfc/llcp_sock.c:657
__sock_release+0xcd/0x2b0 net/socket.c:602
sock_close+0x15/0x20 net/socket.c:1139
__fput+0x25f/0x7a0 fs/file_table.c:210
task_work_run+0x11f/0x190 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:191 [inline]
exit_to_usermode_loop+0x1ad/0x200 arch/x86/entry/common.c:164
prepare_exit_to_usermode arch/x86/entry/common.c:199 [inline]
syscall_return_slowpath arch/x86/entry/common.c:270 [inline]
do_syscall_64+0x4a3/0x640 arch/x86/entry/common.c:297
entry_SYSCALL_64_after_hwframe+0x46/0xbb
batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems!
sock_put include/net/sock.h:1662 [inline]
llcp_sock_release+0x31b/0x4c0 net/nfc/llcp_sock.c:657
__sock_release+0xcd/0x2b0 net/socket.c:602
sock_close+0x15/0x20 net/socket.c:1139
__fput+0x25f/0x7a0 fs/file_table.c:210
task_work_run+0x11f/0x190 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:191 [inline]
exit_to_usermode_loop+0x1ad/0x200 arch/x86/entry/common.c:164
prepare_exit_to_usermode arch/x86/entry/common.c:199 [inline]
syscall_return_slowpath arch/x86/entry/common.c:270 [inline]
do_syscall_64+0x4a3/0x640 arch/x86/entry/common.c:297
entry_SYSCALL_64_after_hwframe+0x46/0xbb
The buggy address belongs to the object at ffff8880ae612080
which belongs to the cache kmalloc-2048 of size 2048
The buggy address is located 1056 bytes inside of
2048-byte region [ffff8880ae612080, ffff8880ae612880)
The buggy address is located 1056 bytes inside of
The buggy address belongs to the page:
page:ffffea0002b98480 count:1 mapcount:0 mapping:ffff8880ae612080 index:0x0 compound_mapcount: 0
flags: 0xfff00000008100(slab|head)
IPv6: ADDRCONF(NETDEV_UP): batadv_slave_0: link is not ready
raw: 00fff00000008100 ffff8880ae612080 0000000000000000 0000000100000003
raw: ffffea0002b96ea0 ffffea0002b99da0 ffff88813fe80c40 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8880ae612380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
Memory state around the buggy address:
ffff8880ae612400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8880ae612480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8880ae612500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880ae612580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
batman_adv: batadv0: Interface activated: batadv_slave_0
syzbot
Apr 21, 2021, 7:43:14 AM4/21/21
to syzkaller...@googlegroups.com
syzbot has found a reproducer for the following issue on:
HEAD commit: 2965db2e Linux 4.19.188
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=14215e61d00000
kernel config: https://syzkaller.appspot.com/x/.config?x=66e717310a9b0f81
dashboard link: https://syzkaller.appspot.com/bug?extid=174a4f09354b9dacb1bd
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13f4efc5d00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=116ef955d00000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+174a4f...@syzkaller.appspotmail.com
CPU: 1 PID: 8117 Comm: syz-executor574 Not tainted 4.19.188-syzkaller #0
do_exit+0xbf3/0x2be0 kernel/exit.c:870
do_group_exit+0x125/0x310 kernel/exit.c:967
__do_sys_exit_group kernel/exit.c:978 [inline]
__se_sys_exit_group kernel/exit.c:976 [inline]
__x64_sys_exit_group+0x3a/0x50 kernel/exit.c:976
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x43e989
Code: 00 49 c7 c0 c0 ff ff ff be e7 00 00 00 ba 3c 00 00 00 eb 12 0f 1f 44 00 00 89 d0 0f 05 48 3d 00 f0 ff ff 77 1c f4 89 f0 0f 05 <48> 3d 00 f0 ff ff 76 e7 f7 d8 64 41 89 00 eb df 0f 1f 80 00 00 00
RSP: 002b:00007ffedcfa28a8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 00000000004b02f0 RCX: 000000000043e989
RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000
RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 0000000000000001
R10: 0000000000080800 R11: 0000000000000246 R12: 00000000004b02f0
R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001
Allocated by task 1:
kmem_cache_alloc_trace+0x12f/0x380 mm/slab.c:3625
kmalloc include/linux/slab.h:515 [inline]
kzalloc include/linux/slab.h:709 [inline]
nfc_llcp_register_device+0x45/0x9b0 net/nfc/llcp_core.c:1584
nfc_register_device+0x6d/0x360 net/nfc/core.c:1129
nfcsim_device_new+0x333/0x5af drivers/nfc/nfcsim.c:417
nfcsim_init+0x71/0x14d drivers/nfc/nfcsim.c:464
do_one_initcall+0xf1/0x740 init/main.c:884
do_initcall_level init/main.c:952 [inline]
do_initcalls init/main.c:960 [inline]
do_basic_setup init/main.c:978 [inline]
kernel_init_freeable+0x9a6/0xa98 init/main.c:1145
kernel_init+0xd/0x1b6 init/main.c:1062
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415
Freed by task 8118:
do_exit+0xbf3/0x2be0 kernel/exit.c:870
do_group_exit+0x125/0x310 kernel/exit.c:967
__do_sys_exit_group kernel/exit.c:978 [inline]
__se_sys_exit_group kernel/exit.c:976 [inline]
__x64_sys_exit_group+0x3a/0x50 kernel/exit.c:976
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
The buggy address belongs to the object at ffff888238b9c900
flags: 0x57ff00000008100(slab|head)
raw: 057ff00000008100 ffffea0008e2dd08 ffffea0008e2f008 ffff88813bff0c40
raw: 0000000000000000 ffff888238b9c080 0000000100000003 0000000000000000
ffff888238b9cc80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888238b9cd00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888238b9cd80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888238b9ce00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
HEAD commit: 2965db2e Linux 4.19.188
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=14215e61d00000
kernel config: https://syzkaller.appspot.com/x/.config?x=66e717310a9b0f81
dashboard link: https://syzkaller.appspot.com/bug?extid=174a4f09354b9dacb1bd
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13f4efc5d00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=116ef955d00000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+174a4f...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in __lock_acquire+0x2cb4/0x3ff0 kernel/locking/lockdep.c:3294
Read of size 8 at addr ffff888238b9cd10 by task syz-executor574/8117
BUG: KASAN: use-after-free in __lock_acquire+0x2cb4/0x3ff0 kernel/locking/lockdep.c:3294
CPU: 1 PID: 8117 Comm: syz-executor574 Not tainted 4.19.188-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1fc/0x2ef lib/dump_stack.c:118
print_address_description.cold+0x54/0x219 mm/kasan/report.c:256
kasan_report_error.cold+0x8a/0x1b9 mm/kasan/report.c:354
kasan_report mm/kasan/report.c:412 [inline]
__asan_report_load8_noabort+0x88/0x90 mm/kasan/report.c:433
__lock_acquire+0x2cb4/0x3ff0 kernel/locking/lockdep.c:3294
lock_acquire+0x170/0x3c0 kernel/locking/lockdep.c:3907
__raw_write_lock include/linux/rwlock_api_smp.h:210 [inline]
_raw_write_lock+0x2a/0x40 kernel/locking/spinlock.c:288
nfc_llcp_sock_unlink+0x1d/0x190 net/nfc/llcp_core.c:44
llcp_sock_release+0x286/0x520 net/nfc/llcp_sock.c:652
__sock_release+0xcd/0x2a0 net/socket.c:579
sock_close+0x15/0x20 net/socket.c:1140
__fput+0x2ce/0x890 fs/file_table.c:278
task_work_run+0x148/0x1c0 kernel/task_work.c:113
exit_task_work include/linux/task_work.h:22 [inline]
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1fc/0x2ef lib/dump_stack.c:118
print_address_description.cold+0x54/0x219 mm/kasan/report.c:256
kasan_report_error.cold+0x8a/0x1b9 mm/kasan/report.c:354
kasan_report mm/kasan/report.c:412 [inline]
__asan_report_load8_noabort+0x88/0x90 mm/kasan/report.c:433
__lock_acquire+0x2cb4/0x3ff0 kernel/locking/lockdep.c:3294
lock_acquire+0x170/0x3c0 kernel/locking/lockdep.c:3907
__raw_write_lock include/linux/rwlock_api_smp.h:210 [inline]
_raw_write_lock+0x2a/0x40 kernel/locking/spinlock.c:288
nfc_llcp_sock_unlink+0x1d/0x190 net/nfc/llcp_core.c:44
llcp_sock_release+0x286/0x520 net/nfc/llcp_sock.c:652
__sock_release+0xcd/0x2a0 net/socket.c:579
sock_close+0x15/0x20 net/socket.c:1140
__fput+0x2ce/0x890 fs/file_table.c:278
task_work_run+0x148/0x1c0 kernel/task_work.c:113
do_exit+0xbf3/0x2be0 kernel/exit.c:870
do_group_exit+0x125/0x310 kernel/exit.c:967
__do_sys_exit_group kernel/exit.c:978 [inline]
__se_sys_exit_group kernel/exit.c:976 [inline]
__x64_sys_exit_group+0x3a/0x50 kernel/exit.c:976
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x43e989
Code: 00 49 c7 c0 c0 ff ff ff be e7 00 00 00 ba 3c 00 00 00 eb 12 0f 1f 44 00 00 89 d0 0f 05 48 3d 00 f0 ff ff 77 1c f4 89 f0 0f 05 <48> 3d 00 f0 ff ff 76 e7 f7 d8 64 41 89 00 eb df 0f 1f 80 00 00 00
RSP: 002b:00007ffedcfa28a8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 00000000004b02f0 RCX: 000000000043e989
RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000
RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 0000000000000001
R10: 0000000000080800 R11: 0000000000000246 R12: 00000000004b02f0
R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001
Allocated by task 1:
kmem_cache_alloc_trace+0x12f/0x380 mm/slab.c:3625
kmalloc include/linux/slab.h:515 [inline]
kzalloc include/linux/slab.h:709 [inline]
nfc_llcp_register_device+0x45/0x9b0 net/nfc/llcp_core.c:1584
nfc_register_device+0x6d/0x360 net/nfc/core.c:1129
nfcsim_device_new+0x333/0x5af drivers/nfc/nfcsim.c:417
nfcsim_init+0x71/0x14d drivers/nfc/nfcsim.c:464
do_one_initcall+0xf1/0x740 init/main.c:884
do_initcall_level init/main.c:952 [inline]
do_initcalls init/main.c:960 [inline]
do_basic_setup init/main.c:978 [inline]
kernel_init_freeable+0x9a6/0xa98 init/main.c:1145
kernel_init+0xd/0x1b6 init/main.c:1062
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415
__cache_free mm/slab.c:3503 [inline]
kfree+0xcc/0x210 mm/slab.c:3822
local_release net/nfc/llcp_core.c:187 [inline]
kref_put include/linux/kref.h:70 [inline]
nfc_llcp_local_put+0x155/0x1b0 net/nfc/llcp_core.c:195
llcp_sock_destruct+0x7b/0x140 net/nfc/llcp_sock.c:959
__sk_destruct+0x4b/0x8a0 net/core/sock.c:1559
sk_destruct net/core/sock.c:1599 [inline]
__sk_free+0x165/0x3b0 net/core/sock.c:1610
sk_free+0x3b/0x50 net/core/sock.c:1621
sock_put include/net/sock.h:1711 [inline]
llcp_sock_release+0x37a/0x520 net/nfc/llcp_sock.c:656
__sock_release+0xcd/0x2a0 net/socket.c:579
sock_close+0x15/0x20 net/socket.c:1140
__fput+0x2ce/0x890 fs/file_table.c:278
task_work_run+0x148/0x1c0 kernel/task_work.c:113
exit_task_work include/linux/task_work.h:22 [inline]
kfree+0xcc/0x210 mm/slab.c:3822
local_release net/nfc/llcp_core.c:187 [inline]
kref_put include/linux/kref.h:70 [inline]
nfc_llcp_local_put+0x155/0x1b0 net/nfc/llcp_core.c:195
llcp_sock_destruct+0x7b/0x140 net/nfc/llcp_sock.c:959
__sk_destruct+0x4b/0x8a0 net/core/sock.c:1559
sk_destruct net/core/sock.c:1599 [inline]
__sk_free+0x165/0x3b0 net/core/sock.c:1610
sk_free+0x3b/0x50 net/core/sock.c:1621
sock_put include/net/sock.h:1711 [inline]
llcp_sock_release+0x37a/0x520 net/nfc/llcp_sock.c:656
__sock_release+0xcd/0x2a0 net/socket.c:579
sock_close+0x15/0x20 net/socket.c:1140
__fput+0x2ce/0x890 fs/file_table.c:278
task_work_run+0x148/0x1c0 kernel/task_work.c:113
do_exit+0xbf3/0x2be0 kernel/exit.c:870
do_group_exit+0x125/0x310 kernel/exit.c:967
__do_sys_exit_group kernel/exit.c:978 [inline]
__se_sys_exit_group kernel/exit.c:976 [inline]
__x64_sys_exit_group+0x3a/0x50 kernel/exit.c:976
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
The buggy address belongs to the object at ffff888238b9c900
which belongs to the cache kmalloc-2048 of size 2048
The buggy address is located 1040 bytes inside of
2048-byte region [ffff888238b9c900, ffff888238b9d100)
The buggy address is located 1040 bytes inside of
The buggy address belongs to the page:
page:ffffea0008e2e700 count:1 mapcount:0 mapping:ffff88813bff0c40 index:0x0 compound_mapcount: 0
flags: 0x57ff00000008100(slab|head)
raw: 057ff00000008100 ffffea0008e2dd08 ffffea0008e2f008 ffff88813bff0c40
raw: 0000000000000000 ffff888238b9c080 0000000100000003 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff888238b9cc00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
Memory state around the buggy address:
ffff888238b9cc80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888238b9cd00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888238b9cd80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888238b9ce00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
syzbot
May 3, 2021, 4:39:17 PM5/3/21
to syzkaller...@googlegroups.com
syzbot has found a reproducer for the following issue on:
HEAD commit: 7d7d1c0a Linux 4.14.232
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1268f679d00000
kernel config: https://syzkaller.appspot.com/x/.config?x=17ee8a0e183900d8
dashboard link: https://syzkaller.appspot.com/bug?extid=e957c786fee9905cefc7
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12a9f385d00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12de4fa9d00000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+e957c7...@syzkaller.appspotmail.com
CPU: 0 PID: 7985 Comm: syz-executor402 Not tainted 4.14.232-syzkaller #0
do_exit+0xa44/0x2850 kernel/exit.c:868
do_group_exit+0x100/0x2e0 kernel/exit.c:965
get_signal+0x38d/0x1ca0 kernel/signal.c:2423
do_signal+0x7c/0x1550 arch/x86/kernel/signal.c:792
exit_to_usermode_loop+0x160/0x200 arch/x86/entry/common.c:160
RSP: 002b:00007ffcc1aaf498 EFLAGS: 00000246 ORIG_RAX: 000000000000012b
RAX: fffffffffffffe00 RBX: 00000000000f4240 RCX: 000000000043fd79
RDX: 0000000000000001 RSI: 00000000200032c0 RDI: 0000000000000003
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000001
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000403550
R13: 0000000000000000 R14: 00007ffcc1aaf4c0 R15: 00007ffcc1aaf4b0
Allocated by task 1:
save_stack mm/kasan/kasan.c:447 [inline]
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc+0xeb/0x160 mm/kasan/kasan.c:551
kmem_cache_alloc_trace+0x131/0x3d0 mm/slab.c:3618
kmalloc include/linux/slab.h:488 [inline]
kzalloc include/linux/slab.h:661 [inline]
nfc_llcp_register_device+0x43/0xa50 net/nfc/llcp_core.c:1584
nfc_register_device+0x63/0x330 net/nfc/core.c:1132
nfcsim_device_new+0x372/0x5c2 drivers/nfc/nfcsim.c:417
nfcsim_init+0x71/0x12a drivers/nfc/nfcsim.c:464
do_one_initcall+0x88/0x210 init/main.c:826
do_initcall_level init/main.c:892 [inline]
do_initcalls init/main.c:900 [inline]
do_basic_setup init/main.c:918 [inline]
kernel_init_freeable+0x553/0x614 init/main.c:1075
kernel_init+0xd/0x165 init/main.c:1000
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404
Freed by task 7984:
do_exit+0xa44/0x2850 kernel/exit.c:868
do_group_exit+0x100/0x2e0 kernel/exit.c:965
get_signal+0x38d/0x1ca0 kernel/signal.c:2423
do_signal+0x7c/0x1550 arch/x86/kernel/signal.c:792
exit_to_usermode_loop+0x160/0x200 arch/x86/entry/common.c:160
flags: 0xfff00000008100(slab|head)
raw: 00fff00000008100 ffff8880ae5b00c0 0000000000000000 0000000100000003
raw: ffffea0002b96ba0 ffffea0002b98220 ffff88813fe80c40 0000000000000000
ffff8880ae5b0c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8880ae5b0d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8880ae5b0d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880ae5b0e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
HEAD commit: 7d7d1c0a Linux 4.14.232
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1268f679d00000
kernel config: https://syzkaller.appspot.com/x/.config?x=17ee8a0e183900d8
dashboard link: https://syzkaller.appspot.com/bug?extid=e957c786fee9905cefc7
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12a9f385d00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12de4fa9d00000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+e957c7...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in __lock_acquire+0x2c57/0x3f20 kernel/locking/lockdep.c:3369
Read of size 8 at addr ffff8880ae5b0d60 by task syz-executor402/7985
BUG: KASAN: use-after-free in __lock_acquire+0x2c57/0x3f20 kernel/locking/lockdep.c:3369
CPU: 0 PID: 7985 Comm: syz-executor402 Not tainted 4.14.232-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x1b2/0x281 lib/dump_stack.c:58
print_address_description.cold+0x54/0x1d3 mm/kasan/report.c:252
kasan_report_error.cold+0x8a/0x191 mm/kasan/report.c:351
kasan_report mm/kasan/report.c:409 [inline]
__asan_report_load8_noabort+0x68/0x70 mm/kasan/report.c:430
__lock_acquire+0x2c57/0x3f20 kernel/locking/lockdep.c:3369
lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998
__raw_write_lock include/linux/rwlock_api_smp.h:210 [inline]
_raw_write_lock+0x2a/0x40 kernel/locking/spinlock.c:296
nfc_llcp_sock_unlink+0x1d/0x170 net/nfc/llcp_core.c:44
llcp_sock_release+0x235/0x4c0 net/nfc/llcp_sock.c:653
__sock_release+0xcd/0x2b0 net/socket.c:602
sock_close+0x15/0x20 net/socket.c:1139
__fput+0x25f/0x7a0 fs/file_table.c:210
task_work_run+0x11f/0x190 kernel/task_work.c:113
exit_task_work include/linux/task_work.h:22 [inline]
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x1b2/0x281 lib/dump_stack.c:58
print_address_description.cold+0x54/0x1d3 mm/kasan/report.c:252
kasan_report_error.cold+0x8a/0x191 mm/kasan/report.c:351
kasan_report mm/kasan/report.c:409 [inline]
__asan_report_load8_noabort+0x68/0x70 mm/kasan/report.c:430
__lock_acquire+0x2c57/0x3f20 kernel/locking/lockdep.c:3369
lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998
__raw_write_lock include/linux/rwlock_api_smp.h:210 [inline]
_raw_write_lock+0x2a/0x40 kernel/locking/spinlock.c:296
nfc_llcp_sock_unlink+0x1d/0x170 net/nfc/llcp_core.c:44
llcp_sock_release+0x235/0x4c0 net/nfc/llcp_sock.c:653
__sock_release+0xcd/0x2b0 net/socket.c:602
sock_close+0x15/0x20 net/socket.c:1139
__fput+0x25f/0x7a0 fs/file_table.c:210
task_work_run+0x11f/0x190 kernel/task_work.c:113
do_exit+0xa44/0x2850 kernel/exit.c:868
do_group_exit+0x100/0x2e0 kernel/exit.c:965
get_signal+0x38d/0x1ca0 kernel/signal.c:2423
do_signal+0x7c/0x1550 arch/x86/kernel/signal.c:792
exit_to_usermode_loop+0x160/0x200 arch/x86/entry/common.c:160
prepare_exit_to_usermode arch/x86/entry/common.c:199 [inline]
syscall_return_slowpath arch/x86/entry/common.c:270 [inline]
do_syscall_64+0x4a3/0x640 arch/x86/entry/common.c:297
entry_SYSCALL_64_after_hwframe+0x46/0xbb
RIP: 0033:0x43fd79
syscall_return_slowpath arch/x86/entry/common.c:270 [inline]
do_syscall_64+0x4a3/0x640 arch/x86/entry/common.c:297
entry_SYSCALL_64_after_hwframe+0x46/0xbb
RSP: 002b:00007ffcc1aaf498 EFLAGS: 00000246 ORIG_RAX: 000000000000012b
RAX: fffffffffffffe00 RBX: 00000000000f4240 RCX: 000000000043fd79
RDX: 0000000000000001 RSI: 00000000200032c0 RDI: 0000000000000003
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000001
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000403550
R13: 0000000000000000 R14: 00007ffcc1aaf4c0 R15: 00007ffcc1aaf4b0
Allocated by task 1:
save_stack mm/kasan/kasan.c:447 [inline]
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc+0xeb/0x160 mm/kasan/kasan.c:551
kmem_cache_alloc_trace+0x131/0x3d0 mm/slab.c:3618
kmalloc include/linux/slab.h:488 [inline]
kzalloc include/linux/slab.h:661 [inline]
nfc_llcp_register_device+0x43/0xa50 net/nfc/llcp_core.c:1584
nfc_register_device+0x63/0x330 net/nfc/core.c:1132
nfcsim_device_new+0x372/0x5c2 drivers/nfc/nfcsim.c:417
nfcsim_init+0x71/0x12a drivers/nfc/nfcsim.c:464
do_one_initcall+0x88/0x210 init/main.c:826
do_initcall_level init/main.c:892 [inline]
do_initcalls init/main.c:900 [inline]
do_basic_setup init/main.c:918 [inline]
kernel_init_freeable+0x553/0x614 init/main.c:1075
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404
Freed by task 7984:
save_stack mm/kasan/kasan.c:447 [inline]
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0xc3/0x1a0 mm/kasan/kasan.c:524
__cache_free mm/slab.c:3496 [inline]
kfree+0xc9/0x250 mm/slab.c:3815
local_release net/nfc/llcp_core.c:187 [inline]
kref_put include/linux/kref.h:70 [inline]
nfc_llcp_local_put+0x13c/0x190 net/nfc/llcp_core.c:195
llcp_sock_destruct+0x69/0x120 net/nfc/llcp_sock.c:960
__sk_destruct+0x49/0x760 net/core/sock.c:1557
sk_destruct net/core/sock.c:1597 [inline]
__sk_free+0xd9/0x2d0 net/core/sock.c:1605
sk_free+0x2b/0x40 net/core/sock.c:1616
sock_put include/net/sock.h:1662 [inline]
llcp_sock_release+0x31b/0x4c0 net/nfc/llcp_sock.c:657
__sock_release+0xcd/0x2b0 net/socket.c:602
sock_close+0x15/0x20 net/socket.c:1139
__fput+0x25f/0x7a0 fs/file_table.c:210
task_work_run+0x11f/0x190 kernel/task_work.c:113
exit_task_work include/linux/task_work.h:22 [inline]
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0xc3/0x1a0 mm/kasan/kasan.c:524
__cache_free mm/slab.c:3496 [inline]
kfree+0xc9/0x250 mm/slab.c:3815
local_release net/nfc/llcp_core.c:187 [inline]
kref_put include/linux/kref.h:70 [inline]
nfc_llcp_local_put+0x13c/0x190 net/nfc/llcp_core.c:195
llcp_sock_destruct+0x69/0x120 net/nfc/llcp_sock.c:960
__sk_destruct+0x49/0x760 net/core/sock.c:1557
sk_destruct net/core/sock.c:1597 [inline]
__sk_free+0xd9/0x2d0 net/core/sock.c:1605
sk_free+0x2b/0x40 net/core/sock.c:1616
sock_put include/net/sock.h:1662 [inline]
llcp_sock_release+0x31b/0x4c0 net/nfc/llcp_sock.c:657
__sock_release+0xcd/0x2b0 net/socket.c:602
sock_close+0x15/0x20 net/socket.c:1139
__fput+0x25f/0x7a0 fs/file_table.c:210
task_work_run+0x11f/0x190 kernel/task_work.c:113
do_exit+0xa44/0x2850 kernel/exit.c:868
do_group_exit+0x100/0x2e0 kernel/exit.c:965
get_signal+0x38d/0x1ca0 kernel/signal.c:2423
do_signal+0x7c/0x1550 arch/x86/kernel/signal.c:792
exit_to_usermode_loop+0x160/0x200 arch/x86/entry/common.c:160
prepare_exit_to_usermode arch/x86/entry/common.c:199 [inline]
syscall_return_slowpath arch/x86/entry/common.c:270 [inline]
do_syscall_64+0x4a3/0x640 arch/x86/entry/common.c:297
entry_SYSCALL_64_after_hwframe+0x46/0xbb
The buggy address belongs to the object at ffff8880ae5b0940
syscall_return_slowpath arch/x86/entry/common.c:270 [inline]
do_syscall_64+0x4a3/0x640 arch/x86/entry/common.c:297
entry_SYSCALL_64_after_hwframe+0x46/0xbb
which belongs to the cache kmalloc-2048 of size 2048
The buggy address is located 1056 bytes inside of
2048-byte region [ffff8880ae5b0940, ffff8880ae5b1140)
The buggy address is located 1056 bytes inside of
The buggy address belongs to the page:
page:ffffea0002b96c00 count:1 mapcount:0 mapping:ffff8880ae5b00c0 index:0x0 compound_mapcount: 0
flags: 0xfff00000008100(slab|head)
raw: 00fff00000008100 ffff8880ae5b00c0 0000000000000000 0000000100000003
raw: ffffea0002b96ba0 ffffea0002b98220 ffff88813fe80c40 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8880ae5b0c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
Memory state around the buggy address:
ffff8880ae5b0c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8880ae5b0d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8880ae5b0d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880ae5b0e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
syzbot
Jun 21, 2021, 5:23:14 AM6/21/21
to syzkaller...@googlegroups.com
syzbot suspects this issue was fixed by commit:
commit 48fba458fe54cc2a980a05c13e6c19b8b2cfb610
Author: Or Cohen <orc...@paloaltonetworks.com>
Date: Tue May 4 07:16:46 2021 +0000
net/nfc: fix use-after-free llcp_sock_bind/connect
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=154aa1b8300000
start commit: 97a8651c Linux 4.19.189
git tree: linux-4.19.y
kernel config: https://syzkaller.appspot.com/x/.config?x=82311d18bf81a023
dashboard link: https://syzkaller.appspot.com/bug?extid=174a4f09354b9dacb1bd
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=100473f1d00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13c1ae7dd00000
If the result looks correct, please mark the issue as fixed by replying with:
#syz fix: net/nfc: fix use-after-free llcp_sock_bind/connect
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
commit 48fba458fe54cc2a980a05c13e6c19b8b2cfb610
Author: Or Cohen <orc...@paloaltonetworks.com>
Date: Tue May 4 07:16:46 2021 +0000
net/nfc: fix use-after-free llcp_sock_bind/connect
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=154aa1b8300000
start commit: 97a8651c Linux 4.19.189
git tree: linux-4.19.y
kernel config: https://syzkaller.appspot.com/x/.config?x=82311d18bf81a023
dashboard link: https://syzkaller.appspot.com/bug?extid=174a4f09354b9dacb1bd
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=100473f1d00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13c1ae7dd00000
If the result looks correct, please mark the issue as fixed by replying with:
#syz fix: net/nfc: fix use-after-free llcp_sock_bind/connect
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
Reply all
Reply to author
Forward
0 new messages