KASAN: use-after-free Read in tw_timer_handler
9 views
Skip to first unread message
syzbot
Sep 30, 2019, 8:04:08 PM9/30/19
to syzkaller...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: f6e27dbb Linux 4.14.146
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1243a8db600000
kernel config: https://syzkaller.appspot.com/x/.config?x=cb75afefe94a0801
dashboard link: https://syzkaller.appspot.com/bug?extid=445885d03020621fa52b
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+445885...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in tw_timer_handler+0x124/0x150
net/ipv4/inet_timewait_sock.c:151
Read of size 8 at addr ffff88805eb18378 by task syz-executor.4/17548
CPU: 1 PID: 17548 Comm: syz-executor.4 Not tainted 4.14.146 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x138/0x197 lib/dump_stack.c:53
print_address_description.cold+0x7c/0x1dc mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report mm/kasan/report.c:409 [inline]
kasan_report.cold+0xa9/0x2af mm/kasan/report.c:393
__asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:430
tw_timer_handler+0x124/0x150 net/ipv4/inet_timewait_sock.c:151
call_timer_fn+0x161/0x670 kernel/time/timer.c:1279
expire_timers kernel/time/timer.c:1318 [inline]
__run_timers kernel/time/timer.c:1634 [inline]
__run_timers kernel/time/timer.c:1602 [inline]
run_timer_softirq+0x5b4/0x1570 kernel/time/timer.c:1647
__do_softirq+0x244/0x9a0 kernel/softirq.c:288
invoke_softirq kernel/softirq.c:368 [inline]
irq_exit+0x160/0x1b0 kernel/softirq.c:409
exiting_irq arch/x86/include/asm/apic.h:648 [inline]
smp_apic_timer_interrupt+0x146/0x5e0 arch/x86/kernel/apic/apic.c:1102
apic_timer_interrupt+0x96/0xa0 arch/x86/entry/entry_64.S:792
</IRQ>
RIP: 0010:arch_local_irq_restore arch/x86/include/asm/paravirt.h:779
[inline]
RIP: 0010:__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:160
[inline]
RIP: 0010:_raw_spin_unlock_irqrestore+0x95/0xe0
kernel/locking/spinlock.c:192
RSP: 0018:ffff8880a04bfac0 EFLAGS: 00000282 ORIG_RAX: ffffffffffffff10
RAX: 1ffffffff0ee2a81 RBX: 0000000000000282 RCX: 1ffff11010764d14
RDX: dffffc0000000000 RSI: ffff888083b26880 RDI: 0000000000000282
RBP: ffff8880a04bfad0 R08: ffff888083b26000 R09: ffff888083b268a0
R10: 0000000000000000 R11: 0000000000000000 R12: ffff888091a1ca80
R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000000
spin_unlock_irqrestore include/linux/spinlock.h:372 [inline]
__wake_up_common_lock+0xe3/0x160 kernel/sched/wait.c:126
__wake_up+0xe/0x10 kernel/sched/wait.c:149
wakeup_pipe_writers+0x59/0x90 fs/splice.c:459
splice_from_pipe_next.part.0+0x1ba/0x290 fs/splice.c:562
splice_from_pipe_next fs/splice.c:545 [inline]
__splice_from_pipe+0xf9/0x780 fs/splice.c:624
vmsplice_to_user+0x197/0x1c0 fs/splice.c:1272
SYSC_vmsplice fs/splice.c:1353 [inline]
SyS_vmsplice+0x131/0x160 fs/splice.c:1334
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x459a29
RSP: 002b:00007fd8fdaa6c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000116
RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 0000000000459a29
RDX: 0000000000000001 RSI: 0000000020000000 RDI: 0000000000000003
RBP: 000000000075c070 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fd8fdaa76d4
R13: 00000000004c9274 R14: 00000000004e06c0 R15: 00000000ffffffff
The buggy address belongs to the page:
page:ffffea00017ac600 count:0 mapcount:-127 mapping: (null)
index:0xffff88805eb18180
flags: 0x1fffc0000000000()
raw: 01fffc0000000000 0000000000000000 ffff88805eb18180 00000000ffffff80
raw: ffffea0001547320 ffffea00016b1720 0000000000000002 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88805eb18200: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff88805eb18280: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> ffff88805eb18300: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff88805eb18380: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff88805eb18400: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following crash on:
HEAD commit: f6e27dbb Linux 4.14.146
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1243a8db600000
kernel config: https://syzkaller.appspot.com/x/.config?x=cb75afefe94a0801
dashboard link: https://syzkaller.appspot.com/bug?extid=445885d03020621fa52b
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+445885...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in tw_timer_handler+0x124/0x150
net/ipv4/inet_timewait_sock.c:151
Read of size 8 at addr ffff88805eb18378 by task syz-executor.4/17548
CPU: 1 PID: 17548 Comm: syz-executor.4 Not tainted 4.14.146 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x138/0x197 lib/dump_stack.c:53
print_address_description.cold+0x7c/0x1dc mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report mm/kasan/report.c:409 [inline]
kasan_report.cold+0xa9/0x2af mm/kasan/report.c:393
__asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:430
tw_timer_handler+0x124/0x150 net/ipv4/inet_timewait_sock.c:151
call_timer_fn+0x161/0x670 kernel/time/timer.c:1279
expire_timers kernel/time/timer.c:1318 [inline]
__run_timers kernel/time/timer.c:1634 [inline]
__run_timers kernel/time/timer.c:1602 [inline]
run_timer_softirq+0x5b4/0x1570 kernel/time/timer.c:1647
__do_softirq+0x244/0x9a0 kernel/softirq.c:288
invoke_softirq kernel/softirq.c:368 [inline]
irq_exit+0x160/0x1b0 kernel/softirq.c:409
exiting_irq arch/x86/include/asm/apic.h:648 [inline]
smp_apic_timer_interrupt+0x146/0x5e0 arch/x86/kernel/apic/apic.c:1102
apic_timer_interrupt+0x96/0xa0 arch/x86/entry/entry_64.S:792
</IRQ>
RIP: 0010:arch_local_irq_restore arch/x86/include/asm/paravirt.h:779
[inline]
RIP: 0010:__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:160
[inline]
RIP: 0010:_raw_spin_unlock_irqrestore+0x95/0xe0
kernel/locking/spinlock.c:192
RSP: 0018:ffff8880a04bfac0 EFLAGS: 00000282 ORIG_RAX: ffffffffffffff10
RAX: 1ffffffff0ee2a81 RBX: 0000000000000282 RCX: 1ffff11010764d14
RDX: dffffc0000000000 RSI: ffff888083b26880 RDI: 0000000000000282
RBP: ffff8880a04bfad0 R08: ffff888083b26000 R09: ffff888083b268a0
R10: 0000000000000000 R11: 0000000000000000 R12: ffff888091a1ca80
R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000000
spin_unlock_irqrestore include/linux/spinlock.h:372 [inline]
__wake_up_common_lock+0xe3/0x160 kernel/sched/wait.c:126
__wake_up+0xe/0x10 kernel/sched/wait.c:149
wakeup_pipe_writers+0x59/0x90 fs/splice.c:459
splice_from_pipe_next.part.0+0x1ba/0x290 fs/splice.c:562
splice_from_pipe_next fs/splice.c:545 [inline]
__splice_from_pipe+0xf9/0x780 fs/splice.c:624
vmsplice_to_user+0x197/0x1c0 fs/splice.c:1272
SYSC_vmsplice fs/splice.c:1353 [inline]
SyS_vmsplice+0x131/0x160 fs/splice.c:1334
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x459a29
RSP: 002b:00007fd8fdaa6c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000116
RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 0000000000459a29
RDX: 0000000000000001 RSI: 0000000020000000 RDI: 0000000000000003
RBP: 000000000075c070 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fd8fdaa76d4
R13: 00000000004c9274 R14: 00000000004e06c0 R15: 00000000ffffffff
The buggy address belongs to the page:
page:ffffea00017ac600 count:0 mapcount:-127 mapping: (null)
index:0xffff88805eb18180
flags: 0x1fffc0000000000()
raw: 01fffc0000000000 0000000000000000 ffff88805eb18180 00000000ffffff80
raw: ffffea0001547320 ffffea00016b1720 0000000000000002 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88805eb18200: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff88805eb18280: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> ffff88805eb18300: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff88805eb18380: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff88805eb18400: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
May 12, 2020, 5:52:09 AM5/12/20
to syzkaller...@googlegroups.com
Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.
Crashes did not happen for a while, no reproducer and no activity.
Reply all
Reply to author
Forward
0 new messages