KASAN: use-after-free Read in __sock_release
12 views
Skip to first unread message
syzbot
Aug 27, 2020, 12:12:23 AM8/27/20
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: d7e78d08 Linux 4.14.195
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=13bffb51900000
kernel config: https://syzkaller.appspot.com/x/.config?x=6608b656f49b4e8c
dashboard link: https://syzkaller.appspot.com/bug?extid=6e72fe680f6f0744cc9d
compiler: gcc (GCC) 10.1.0-syz 20200507
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+6e72fe...@syzkaller.appspotmail.com
TSC Offset = 0xfffffcb6f8425875
TPR Threshold = 0x00
EPT pointer = 0x000000005a46201e
Virtual processor ID = 0x0001
==================================================================
BUG: KASAN: use-after-free in __read_once_size include/linux/compiler.h:183 [inline]
BUG: KASAN: use-after-free in atomic64_read arch/x86/include/asm/atomic64_64.h:22 [inline]
BUG: KASAN: use-after-free in atomic_long_read include/asm-generic/atomic-long.h:45 [inline]
BUG: KASAN: use-after-free in __rwsem_down_write_failed_common kernel/locking/rwsem-xadd.c:590 [inline]
BUG: KASAN: use-after-free in rwsem_down_write_failed+0x5d7/0x6d0 kernel/locking/rwsem-xadd.c:617
Read of size 8 at addr ffff8880839d5a10 by task syz-executor.5/4692
CPU: 1 PID: 4692 Comm: syz-executor.5 Not tainted 4.14.195-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x1b2/0x283 lib/dump_stack.c:58
print_address_description.cold+0x54/0x1d3 mm/kasan/report.c:252
kasan_report_error.cold+0x8a/0x194 mm/kasan/report.c:351
kasan_report mm/kasan/report.c:409 [inline]
__asan_report_load8_noabort+0x68/0x70 mm/kasan/report.c:430
__read_once_size include/linux/compiler.h:183 [inline]
atomic64_read arch/x86/include/asm/atomic64_64.h:22 [inline]
atomic_long_read include/asm-generic/atomic-long.h:45 [inline]
__rwsem_down_write_failed_common kernel/locking/rwsem-xadd.c:590 [inline]
rwsem_down_write_failed+0x5d7/0x6d0 kernel/locking/rwsem-xadd.c:617
call_rwsem_down_write_failed+0x13/0x20 arch/x86/lib/rwsem.S:105
__down_write arch/x86/include/asm/rwsem.h:126 [inline]
down_write+0x4f/0x90 kernel/locking/rwsem.c:56
inode_lock include/linux/fs.h:719 [inline]
__sock_release+0x86/0x2b0 net/socket.c:601
sock_close+0x15/0x20 net/socket.c:1139
__fput+0x25f/0x7a0 fs/file_table.c:210
task_work_run+0x11f/0x190 kernel/task_work.c:113
get_signal+0x18a3/0x1ca0 kernel/signal.c:2234
do_signal+0x7c/0x1550 arch/x86/kernel/signal.c:814
exit_to_usermode_loop+0x160/0x200 arch/x86/entry/common.c:160
prepare_exit_to_usermode arch/x86/entry/common.c:199 [inline]
syscall_return_slowpath arch/x86/entry/common.c:270 [inline]
do_syscall_64+0x4a3/0x640 arch/x86/entry/common.c:297
entry_SYSCALL_64_after_hwframe+0x46/0xbb
RIP: 0033:0x45d5b9
RSP: 002b:00007fb09b98ec78 EFLAGS: 00000246 ORIG_RAX: 00000000000000e9
RAX: 0000000000000000 RBX: 0000000000002ac0 RCX: 000000000045d5b9
RDX: 0000000000000003 RSI: 0000000000000001 RDI: 0000000000000004
RBP: 000000000118cf88 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000020000140 R11: 0000000000000246 R12: 000000000118cf4c
R13: 00007ffe22f8278f R14: 00007fb09b98f9c0 R15: 000000000118cf4c
Allocated by task 4699:
save_stack mm/kasan/kasan.c:447 [inline]
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc+0xeb/0x160 mm/kasan/kasan.c:551
kmem_cache_alloc+0x124/0x3c0 mm/slab.c:3552
sock_alloc_inode+0x19/0x250 net/socket.c:251
alloc_inode+0x5d/0x170 fs/inode.c:210
new_inode_pseudo+0x14/0xe0 fs/inode.c:899
sock_alloc+0x3c/0x270 net/socket.c:569
__sock_create+0x8a/0x620 net/socket.c:1239
sock_create net/socket.c:1315 [inline]
SYSC_socket net/socket.c:1345 [inline]
SyS_socket+0xd1/0x1b0 net/socket.c:1325
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x46/0xbb
Freed by task 4703:
save_stack mm/kasan/kasan.c:447 [inline]
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0xc3/0x1a0 mm/kasan/kasan.c:524
__cache_free mm/slab.c:3496 [inline]
kmem_cache_free+0x7c/0x2b0 mm/slab.c:3758
destroy_inode+0xb9/0x110 fs/inode.c:267
iput_final fs/inode.c:1524 [inline]
iput+0x458/0x7e0 fs/inode.c:1551
dentry_unlink_inode+0x25c/0x310 fs/dcache.c:387
__dentry_kill+0x320/0x550 fs/dcache.c:591
dentry_kill fs/dcache.c:632 [inline]
dput.part.0+0x56f/0x710 fs/dcache.c:847
dput+0x1b/0x30 fs/dcache.c:811
__fput+0x445/0x7a0 fs/file_table.c:228
task_work_run+0x11f/0x190 kernel/task_work.c:113
get_signal+0x18a3/0x1ca0 kernel/signal.c:2234
do_signal+0x7c/0x1550 arch/x86/kernel/signal.c:814
exit_to_usermode_loop+0x160/0x200 arch/x86/entry/common.c:160
prepare_exit_to_usermode arch/x86/entry/common.c:199 [inline]
syscall_return_slowpath arch/x86/entry/common.c:270 [inline]
do_syscall_64+0x4a3/0x640 arch/x86/entry/common.c:297
entry_SYSCALL_64_after_hwframe+0x46/0xbb
The buggy address belongs to the object at ffff8880839d5900
which belongs to the cache sock_inode_cache of size 1000
The buggy address is located 272 bytes inside of
1000-byte region [ffff8880839d5900, ffff8880839d5ce8)
The buggy address belongs to the page:
page:ffffea00020e7540 count:1 mapcount:0 mapping:ffff8880839d5000 index:0xffff8880839d5ffd
flags: 0xfffe0000000100(slab)
raw: 00fffe0000000100 ffff8880839d5000 ffff8880839d5ffd 0000000100000002
raw: ffffea000266e7a0 ffffea00022624e0 ffff88821b7cb3c0 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8880839d5900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880839d5980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8880839d5a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8880839d5a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880839d5b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following issue on:
HEAD commit: d7e78d08 Linux 4.14.195
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=13bffb51900000
kernel config: https://syzkaller.appspot.com/x/.config?x=6608b656f49b4e8c
dashboard link: https://syzkaller.appspot.com/bug?extid=6e72fe680f6f0744cc9d
compiler: gcc (GCC) 10.1.0-syz 20200507
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+6e72fe...@syzkaller.appspotmail.com
TSC Offset = 0xfffffcb6f8425875
TPR Threshold = 0x00
EPT pointer = 0x000000005a46201e
Virtual processor ID = 0x0001
==================================================================
BUG: KASAN: use-after-free in __read_once_size include/linux/compiler.h:183 [inline]
BUG: KASAN: use-after-free in atomic64_read arch/x86/include/asm/atomic64_64.h:22 [inline]
BUG: KASAN: use-after-free in atomic_long_read include/asm-generic/atomic-long.h:45 [inline]
BUG: KASAN: use-after-free in __rwsem_down_write_failed_common kernel/locking/rwsem-xadd.c:590 [inline]
BUG: KASAN: use-after-free in rwsem_down_write_failed+0x5d7/0x6d0 kernel/locking/rwsem-xadd.c:617
Read of size 8 at addr ffff8880839d5a10 by task syz-executor.5/4692
CPU: 1 PID: 4692 Comm: syz-executor.5 Not tainted 4.14.195-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x1b2/0x283 lib/dump_stack.c:58
print_address_description.cold+0x54/0x1d3 mm/kasan/report.c:252
kasan_report_error.cold+0x8a/0x194 mm/kasan/report.c:351
kasan_report mm/kasan/report.c:409 [inline]
__asan_report_load8_noabort+0x68/0x70 mm/kasan/report.c:430
__read_once_size include/linux/compiler.h:183 [inline]
atomic64_read arch/x86/include/asm/atomic64_64.h:22 [inline]
atomic_long_read include/asm-generic/atomic-long.h:45 [inline]
__rwsem_down_write_failed_common kernel/locking/rwsem-xadd.c:590 [inline]
rwsem_down_write_failed+0x5d7/0x6d0 kernel/locking/rwsem-xadd.c:617
call_rwsem_down_write_failed+0x13/0x20 arch/x86/lib/rwsem.S:105
__down_write arch/x86/include/asm/rwsem.h:126 [inline]
down_write+0x4f/0x90 kernel/locking/rwsem.c:56
inode_lock include/linux/fs.h:719 [inline]
__sock_release+0x86/0x2b0 net/socket.c:601
sock_close+0x15/0x20 net/socket.c:1139
__fput+0x25f/0x7a0 fs/file_table.c:210
task_work_run+0x11f/0x190 kernel/task_work.c:113
get_signal+0x18a3/0x1ca0 kernel/signal.c:2234
do_signal+0x7c/0x1550 arch/x86/kernel/signal.c:814
exit_to_usermode_loop+0x160/0x200 arch/x86/entry/common.c:160
prepare_exit_to_usermode arch/x86/entry/common.c:199 [inline]
syscall_return_slowpath arch/x86/entry/common.c:270 [inline]
do_syscall_64+0x4a3/0x640 arch/x86/entry/common.c:297
entry_SYSCALL_64_after_hwframe+0x46/0xbb
RIP: 0033:0x45d5b9
RSP: 002b:00007fb09b98ec78 EFLAGS: 00000246 ORIG_RAX: 00000000000000e9
RAX: 0000000000000000 RBX: 0000000000002ac0 RCX: 000000000045d5b9
RDX: 0000000000000003 RSI: 0000000000000001 RDI: 0000000000000004
RBP: 000000000118cf88 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000020000140 R11: 0000000000000246 R12: 000000000118cf4c
R13: 00007ffe22f8278f R14: 00007fb09b98f9c0 R15: 000000000118cf4c
Allocated by task 4699:
save_stack mm/kasan/kasan.c:447 [inline]
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc+0xeb/0x160 mm/kasan/kasan.c:551
kmem_cache_alloc+0x124/0x3c0 mm/slab.c:3552
sock_alloc_inode+0x19/0x250 net/socket.c:251
alloc_inode+0x5d/0x170 fs/inode.c:210
new_inode_pseudo+0x14/0xe0 fs/inode.c:899
sock_alloc+0x3c/0x270 net/socket.c:569
__sock_create+0x8a/0x620 net/socket.c:1239
sock_create net/socket.c:1315 [inline]
SYSC_socket net/socket.c:1345 [inline]
SyS_socket+0xd1/0x1b0 net/socket.c:1325
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x46/0xbb
Freed by task 4703:
save_stack mm/kasan/kasan.c:447 [inline]
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0xc3/0x1a0 mm/kasan/kasan.c:524
__cache_free mm/slab.c:3496 [inline]
kmem_cache_free+0x7c/0x2b0 mm/slab.c:3758
destroy_inode+0xb9/0x110 fs/inode.c:267
iput_final fs/inode.c:1524 [inline]
iput+0x458/0x7e0 fs/inode.c:1551
dentry_unlink_inode+0x25c/0x310 fs/dcache.c:387
__dentry_kill+0x320/0x550 fs/dcache.c:591
dentry_kill fs/dcache.c:632 [inline]
dput.part.0+0x56f/0x710 fs/dcache.c:847
dput+0x1b/0x30 fs/dcache.c:811
__fput+0x445/0x7a0 fs/file_table.c:228
task_work_run+0x11f/0x190 kernel/task_work.c:113
get_signal+0x18a3/0x1ca0 kernel/signal.c:2234
do_signal+0x7c/0x1550 arch/x86/kernel/signal.c:814
exit_to_usermode_loop+0x160/0x200 arch/x86/entry/common.c:160
prepare_exit_to_usermode arch/x86/entry/common.c:199 [inline]
syscall_return_slowpath arch/x86/entry/common.c:270 [inline]
do_syscall_64+0x4a3/0x640 arch/x86/entry/common.c:297
entry_SYSCALL_64_after_hwframe+0x46/0xbb
The buggy address belongs to the object at ffff8880839d5900
which belongs to the cache sock_inode_cache of size 1000
The buggy address is located 272 bytes inside of
1000-byte region [ffff8880839d5900, ffff8880839d5ce8)
The buggy address belongs to the page:
page:ffffea00020e7540 count:1 mapcount:0 mapping:ffff8880839d5000 index:0xffff8880839d5ffd
flags: 0xfffe0000000100(slab)
raw: 00fffe0000000100 ffff8880839d5000 ffff8880839d5ffd 0000000100000002
raw: ffffea000266e7a0 ffffea00022624e0 ffff88821b7cb3c0 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8880839d5900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880839d5980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8880839d5a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8880839d5a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880839d5b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Sep 1, 2020, 6:08:17 AM9/1/20
to syzkaller...@googlegroups.com
syzbot has found a reproducer for the following issue on:
HEAD commit: d7e78d08 Linux 4.14.195
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1681e915900000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+6e72fe...@syzkaller.appspotmail.com
CPU: 0 PID: 22096 Comm: syz-executor.0 Not tainted 4.14.195-syzkaller #0
exit_to_usermode_loop+0x1ad/0x200 arch/x86/entry/common.c:164
RSP: 002b:00007ffd051b0e20 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000005 RCX: 0000000000416f01
RDX: 0000000000000000 RSI: 0000000000000081 RDI: 0000000000000004
RBP: 0000000000000000 R08: 0000000001190310 R09: 0000000000000000
R10: 00007ffd051b0f00 R11: 0000000000000293 R12: 0000000001190318
R13: 0000000000000000 R14: ffffffffffffffff R15: 000000000118cf4c
Allocated by task 22110:
exit_to_usermode_loop+0x1ad/0x200 arch/x86/entry/common.c:164
flags: 0xfffe0000000100(slab)
raw: 00fffe0000000100 ffff88807f290080 ffff88807f290ffd 0000000100000003
raw: ffffea0001fca320 ffffea0001fcaca0 ffff8880a99bd900 0000000000000000
ffff88807f290580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88807f290600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88807f290680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88807f290700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
HEAD commit: d7e78d08 Linux 4.14.195
git tree: linux-4.14.y
kernel config: https://syzkaller.appspot.com/x/.config?x=6608b656f49b4e8c
dashboard link: https://syzkaller.appspot.com/bug?extid=6e72fe680f6f0744cc9d
compiler: gcc (GCC) 10.1.0-syz 20200507
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=156620ae900000
dashboard link: https://syzkaller.appspot.com/bug?extid=6e72fe680f6f0744cc9d
compiler: gcc (GCC) 10.1.0-syz 20200507
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+6e72fe...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in __read_once_size include/linux/compiler.h:183 [inline]
BUG: KASAN: use-after-free in atomic64_read arch/x86/include/asm/atomic64_64.h:22 [inline]
BUG: KASAN: use-after-free in atomic_long_read include/asm-generic/atomic-long.h:45 [inline]
BUG: KASAN: use-after-free in __rwsem_down_write_failed_common kernel/locking/rwsem-xadd.c:590 [inline]
BUG: KASAN: use-after-free in rwsem_down_write_failed+0x5d7/0x6d0 kernel/locking/rwsem-xadd.c:617
Read of size 8 at addr ffff88807f290610 by task syz-executor.0/22096
BUG: KASAN: use-after-free in __read_once_size include/linux/compiler.h:183 [inline]
BUG: KASAN: use-after-free in atomic64_read arch/x86/include/asm/atomic64_64.h:22 [inline]
BUG: KASAN: use-after-free in atomic_long_read include/asm-generic/atomic-long.h:45 [inline]
BUG: KASAN: use-after-free in __rwsem_down_write_failed_common kernel/locking/rwsem-xadd.c:590 [inline]
BUG: KASAN: use-after-free in rwsem_down_write_failed+0x5d7/0x6d0 kernel/locking/rwsem-xadd.c:617
CPU: 0 PID: 22096 Comm: syz-executor.0 Not tainted 4.14.195-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x1b2/0x283 lib/dump_stack.c:58
print_address_description.cold+0x54/0x1d3 mm/kasan/report.c:252
kasan_report_error.cold+0x8a/0x194 mm/kasan/report.c:351
kasan_report mm/kasan/report.c:409 [inline]
__asan_report_load8_noabort+0x68/0x70 mm/kasan/report.c:430
__read_once_size include/linux/compiler.h:183 [inline]
atomic64_read arch/x86/include/asm/atomic64_64.h:22 [inline]
atomic_long_read include/asm-generic/atomic-long.h:45 [inline]
__rwsem_down_write_failed_common kernel/locking/rwsem-xadd.c:590 [inline]
rwsem_down_write_failed+0x5d7/0x6d0 kernel/locking/rwsem-xadd.c:617
call_rwsem_down_write_failed+0x13/0x20 arch/x86/lib/rwsem.S:105
__down_write arch/x86/include/asm/rwsem.h:126 [inline]
down_write+0x4f/0x90 kernel/locking/rwsem.c:56
inode_lock include/linux/fs.h:719 [inline]
__sock_release+0x86/0x2b0 net/socket.c:601
sock_close+0x15/0x20 net/socket.c:1139
__fput+0x25f/0x7a0 fs/file_table.c:210
task_work_run+0x11f/0x190 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:191 [inline]
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x1b2/0x283 lib/dump_stack.c:58
print_address_description.cold+0x54/0x1d3 mm/kasan/report.c:252
kasan_report_error.cold+0x8a/0x194 mm/kasan/report.c:351
kasan_report mm/kasan/report.c:409 [inline]
__asan_report_load8_noabort+0x68/0x70 mm/kasan/report.c:430
__read_once_size include/linux/compiler.h:183 [inline]
atomic64_read arch/x86/include/asm/atomic64_64.h:22 [inline]
atomic_long_read include/asm-generic/atomic-long.h:45 [inline]
__rwsem_down_write_failed_common kernel/locking/rwsem-xadd.c:590 [inline]
rwsem_down_write_failed+0x5d7/0x6d0 kernel/locking/rwsem-xadd.c:617
call_rwsem_down_write_failed+0x13/0x20 arch/x86/lib/rwsem.S:105
__down_write arch/x86/include/asm/rwsem.h:126 [inline]
down_write+0x4f/0x90 kernel/locking/rwsem.c:56
inode_lock include/linux/fs.h:719 [inline]
__sock_release+0x86/0x2b0 net/socket.c:601
sock_close+0x15/0x20 net/socket.c:1139
__fput+0x25f/0x7a0 fs/file_table.c:210
task_work_run+0x11f/0x190 kernel/task_work.c:113
exit_to_usermode_loop+0x1ad/0x200 arch/x86/entry/common.c:164
prepare_exit_to_usermode arch/x86/entry/common.c:199 [inline]
syscall_return_slowpath arch/x86/entry/common.c:270 [inline]
do_syscall_64+0x4a3/0x640 arch/x86/entry/common.c:297
entry_SYSCALL_64_after_hwframe+0x46/0xbb
RIP: 0033:0x416f01
syscall_return_slowpath arch/x86/entry/common.c:270 [inline]
do_syscall_64+0x4a3/0x640 arch/x86/entry/common.c:297
entry_SYSCALL_64_after_hwframe+0x46/0xbb
RSP: 002b:00007ffd051b0e20 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000005 RCX: 0000000000416f01
RDX: 0000000000000000 RSI: 0000000000000081 RDI: 0000000000000004
RBP: 0000000000000000 R08: 0000000001190310 R09: 0000000000000000
R10: 00007ffd051b0f00 R11: 0000000000000293 R12: 0000000001190318
R13: 0000000000000000 R14: ffffffffffffffff R15: 000000000118cf4c
Allocated by task 22110:
save_stack mm/kasan/kasan.c:447 [inline]
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc+0xeb/0x160 mm/kasan/kasan.c:551
kmem_cache_alloc+0x124/0x3c0 mm/slab.c:3552
sock_alloc_inode+0x19/0x250 net/socket.c:251
alloc_inode+0x5d/0x170 fs/inode.c:210
new_inode_pseudo+0x14/0xe0 fs/inode.c:899
sock_alloc+0x3c/0x270 net/socket.c:569
__sock_create+0x8a/0x620 net/socket.c:1239
sock_create net/socket.c:1315 [inline]
SYSC_socket net/socket.c:1345 [inline]
SyS_socket+0xd1/0x1b0 net/socket.c:1325
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x46/0xbb
Freed by task 22110:
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc+0xeb/0x160 mm/kasan/kasan.c:551
kmem_cache_alloc+0x124/0x3c0 mm/slab.c:3552
sock_alloc_inode+0x19/0x250 net/socket.c:251
alloc_inode+0x5d/0x170 fs/inode.c:210
new_inode_pseudo+0x14/0xe0 fs/inode.c:899
sock_alloc+0x3c/0x270 net/socket.c:569
__sock_create+0x8a/0x620 net/socket.c:1239
sock_create net/socket.c:1315 [inline]
SYSC_socket net/socket.c:1345 [inline]
SyS_socket+0xd1/0x1b0 net/socket.c:1325
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x46/0xbb
save_stack mm/kasan/kasan.c:447 [inline]
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0xc3/0x1a0 mm/kasan/kasan.c:524
__cache_free mm/slab.c:3496 [inline]
kmem_cache_free+0x7c/0x2b0 mm/slab.c:3758
destroy_inode+0xb9/0x110 fs/inode.c:267
iput_final fs/inode.c:1524 [inline]
iput+0x458/0x7e0 fs/inode.c:1551
dentry_unlink_inode+0x25c/0x310 fs/dcache.c:387
__dentry_kill+0x320/0x550 fs/dcache.c:591
dentry_kill fs/dcache.c:632 [inline]
dput.part.0+0x56f/0x710 fs/dcache.c:847
dput+0x1b/0x30 fs/dcache.c:811
__fput+0x445/0x7a0 fs/file_table.c:228
task_work_run+0x11f/0x190 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:191 [inline]
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0xc3/0x1a0 mm/kasan/kasan.c:524
__cache_free mm/slab.c:3496 [inline]
kmem_cache_free+0x7c/0x2b0 mm/slab.c:3758
destroy_inode+0xb9/0x110 fs/inode.c:267
iput_final fs/inode.c:1524 [inline]
iput+0x458/0x7e0 fs/inode.c:1551
dentry_unlink_inode+0x25c/0x310 fs/dcache.c:387
__dentry_kill+0x320/0x550 fs/dcache.c:591
dentry_kill fs/dcache.c:632 [inline]
dput.part.0+0x56f/0x710 fs/dcache.c:847
dput+0x1b/0x30 fs/dcache.c:811
__fput+0x445/0x7a0 fs/file_table.c:228
task_work_run+0x11f/0x190 kernel/task_work.c:113
exit_to_usermode_loop+0x1ad/0x200 arch/x86/entry/common.c:164
prepare_exit_to_usermode arch/x86/entry/common.c:199 [inline]
syscall_return_slowpath arch/x86/entry/common.c:270 [inline]
do_syscall_64+0x4a3/0x640 arch/x86/entry/common.c:297
entry_SYSCALL_64_after_hwframe+0x46/0xbb
The buggy address belongs to the object at ffff88807f290500
syscall_return_slowpath arch/x86/entry/common.c:270 [inline]
do_syscall_64+0x4a3/0x640 arch/x86/entry/common.c:297
entry_SYSCALL_64_after_hwframe+0x46/0xbb
which belongs to the cache sock_inode_cache of size 1000
The buggy address is located 272 bytes inside of
1000-byte region [ffff88807f290500, ffff88807f2908e8)
The buggy address is located 272 bytes inside of
The buggy address belongs to the page:
page:ffffea0001fca400 count:1 mapcount:0 mapping:ffff88807f290080 index:0xffff88807f290ffd
flags: 0xfffe0000000100(slab)
raw: 00fffe0000000100 ffff88807f290080 ffff88807f290ffd 0000000100000003
raw: ffffea0001fca320 ffffea0001fcaca0 ffff8880a99bd900 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88807f290500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
Memory state around the buggy address:
ffff88807f290580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88807f290600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88807f290680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88807f290700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
syzbot
Sep 3, 2020, 12:13:17 PM9/3/20
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: c37da90e Linux 4.19.143
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=16b3cbde900000
kernel config: https://syzkaller.appspot.com/x/.config?x=d162ec57805c4e4d
dashboard link: https://syzkaller.appspot.com/bug?extid=7b4b02d0d7af3aa4f5ab
==================================================================
BUG: KASAN: use-after-free in atomic64_read include/asm-generic/atomic-instrumented.h:27 [inline]
BUG: KASAN: use-after-free in atomic_long_read include/asm-generic/atomic-long.h:47 [inline]
BUG: KASAN: use-after-free in __rwsem_down_write_failed_common kernel/locking/rwsem-xadd.c:591 [inline]
BUG: KASAN: use-after-free in rwsem_down_write_failed+0x401/0x760 kernel/locking/rwsem-xadd.c:618
Read of size 8 at addr ffff88804d95db88 by task syz-executor.4/20164
CPU: 0 PID: 20164 Comm: syz-executor.4 Not tainted 4.19.143-syzkaller #0
dump_stack+0x1fc/0x2fe lib/dump_stack.c:118
print_address_description.cold+0x54/0x219 mm/kasan/report.c:256
kasan_report_error.cold+0x8a/0x1c7 mm/kasan/report.c:354
kasan_report+0x8f/0x96 mm/kasan/report.c:412
atomic64_read include/asm-generic/atomic-instrumented.h:27 [inline]
atomic_long_read include/asm-generic/atomic-long.h:47 [inline]
__rwsem_down_write_failed_common kernel/locking/rwsem-xadd.c:591 [inline]
rwsem_down_write_failed+0x401/0x760 kernel/locking/rwsem-xadd.c:618
call_rwsem_down_write_failed+0x13/0x20 arch/x86/lib/rwsem.S:117
__down_write arch/x86/include/asm/rwsem.h:142 [inline]
down_write+0x4f/0x90 kernel/locking/rwsem.c:72
inode_lock include/linux/fs.h:748 [inline]
__sock_release+0x86/0x2a0 net/socket.c:578
sock_close+0x15/0x20 net/socket.c:1140
__fput+0x2ce/0x890 fs/file_table.c:278
task_work_run+0x148/0x1c0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:193 [inline]
exit_to_usermode_loop+0x251/0x2a0 arch/x86/entry/common.c:167
prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline]
syscall_return_slowpath arch/x86/entry/common.c:271 [inline]
do_syscall_64+0x538/0x620 arch/x86/entry/common.c:296
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x45d5b9
Code: 5d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fd875138c78 EFLAGS: 00000246 ORIG_RAX: 00000000000000e9
R13: 00007ffc77c7883f R14: 00007fd8751399c0 R15: 000000000118cf4c
Allocated by task 20164:
netlink: 52 bytes leftover after parsing attributes in process `syz-executor.5'.
kmem_cache_alloc+0x122/0x370 mm/slab.c:3559
sock_alloc_inode+0x19/0x250 net/socket.c:244
alloc_inode+0x5d/0x180 fs/inode.c:211
new_inode_pseudo+0x14/0xe0 fs/inode.c:911
sock_alloc+0x3c/0x260 net/socket.c:547
__sock_create+0xba/0x740 net/socket.c:1240
sock_create net/socket.c:1316 [inline]
__sys_socket+0xef/0x200 net/socket.c:1346
__do_sys_socket net/socket.c:1355 [inline]
__se_sys_socket net/socket.c:1353 [inline]
__x64_sys_socket+0x6f/0xb0 net/socket.c:1353
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 20160:
__cache_free mm/slab.c:3503 [inline]
kmem_cache_free+0x7f/0x260 mm/slab.c:3765
destroy_inode+0xb9/0x110 fs/inode.c:268
iput_final fs/inode.c:1555 [inline]
iput+0x4f1/0x860 fs/inode.c:1581
dentry_unlink_inode+0x265/0x320 fs/dcache.c:374
__dentry_kill+0x3c0/0x640 fs/dcache.c:566
dentry_kill+0xc4/0x510 fs/dcache.c:685
dput+0x55f/0x640 fs/dcache.c:846
__fput+0x415/0x890 fs/file_table.c:291
task_work_run+0x148/0x1c0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:193 [inline]
exit_to_usermode_loop+0x251/0x2a0 arch/x86/entry/common.c:167
prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline]
syscall_return_slowpath arch/x86/entry/common.c:271 [inline]
do_syscall_64+0x538/0x620 arch/x86/entry/common.c:296
entry_SYSCALL_64_after_hwframe+0x49/0xbe
The buggy address belongs to the object at ffff88804d95da80
which belongs to the cache sock_inode_cache of size 992
The buggy address is located 264 bytes inside of
992-byte region [ffff88804d95da80, ffff88804d95de60)
flags: 0xfffe0000000100(slab)
raw: 00fffe0000000100 ffffea0002003588 ffffea0002006908 ffff88821b6c3000
raw: ffff88804d95dffd ffff88804d95d180 0000000100000003 0000000000000000
ffff88804d95db00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88804d95db80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
netlink: 4 bytes leftover after parsing attributes in process `syz-executor.3'.
ffff88804d95dc00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88804d95dc80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
syzbot found the following issue on:
HEAD commit: c37da90e Linux 4.19.143
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=16b3cbde900000
kernel config: https://syzkaller.appspot.com/x/.config?x=d162ec57805c4e4d
dashboard link: https://syzkaller.appspot.com/bug?extid=7b4b02d0d7af3aa4f5ab
compiler: gcc (GCC) 10.1.0-syz 20200507
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+7b4b02...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in atomic64_read include/asm-generic/atomic-instrumented.h:27 [inline]
BUG: KASAN: use-after-free in atomic_long_read include/asm-generic/atomic-long.h:47 [inline]
BUG: KASAN: use-after-free in __rwsem_down_write_failed_common kernel/locking/rwsem-xadd.c:591 [inline]
BUG: KASAN: use-after-free in rwsem_down_write_failed+0x401/0x760 kernel/locking/rwsem-xadd.c:618
Read of size 8 at addr ffff88804d95db88 by task syz-executor.4/20164
CPU: 0 PID: 20164 Comm: syz-executor.4 Not tainted 4.19.143-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
Call Trace:
dump_stack+0x1fc/0x2fe lib/dump_stack.c:118
print_address_description.cold+0x54/0x219 mm/kasan/report.c:256
kasan_report_error.cold+0x8a/0x1c7 mm/kasan/report.c:354
kasan_report+0x8f/0x96 mm/kasan/report.c:412
atomic64_read include/asm-generic/atomic-instrumented.h:27 [inline]
atomic_long_read include/asm-generic/atomic-long.h:47 [inline]
__rwsem_down_write_failed_common kernel/locking/rwsem-xadd.c:591 [inline]
rwsem_down_write_failed+0x401/0x760 kernel/locking/rwsem-xadd.c:618
call_rwsem_down_write_failed+0x13/0x20 arch/x86/lib/rwsem.S:117
__down_write arch/x86/include/asm/rwsem.h:142 [inline]
down_write+0x4f/0x90 kernel/locking/rwsem.c:72
inode_lock include/linux/fs.h:748 [inline]
__sock_release+0x86/0x2a0 net/socket.c:578
sock_close+0x15/0x20 net/socket.c:1140
__fput+0x2ce/0x890 fs/file_table.c:278
task_work_run+0x148/0x1c0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:193 [inline]
exit_to_usermode_loop+0x251/0x2a0 arch/x86/entry/common.c:167
prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline]
syscall_return_slowpath arch/x86/entry/common.c:271 [inline]
do_syscall_64+0x538/0x620 arch/x86/entry/common.c:296
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x45d5b9
Code: 5d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fd875138c78 EFLAGS: 00000246 ORIG_RAX: 00000000000000e9
RAX: 0000000000000000 RBX: 0000000000002ac0 RCX: 000000000045d5b9
RDX: 0000000000000008 RSI: 0000000000000001 RDI: 0000000000000007
RBP: 000000000118cf88 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000020d5dff4 R11: 0000000000000246 R12: 000000000118cf4c
R13: 00007ffc77c7883f R14: 00007fd8751399c0 R15: 000000000118cf4c
Allocated by task 20164:
netlink: 52 bytes leftover after parsing attributes in process `syz-executor.5'.
kmem_cache_alloc+0x122/0x370 mm/slab.c:3559
sock_alloc_inode+0x19/0x250 net/socket.c:244
alloc_inode+0x5d/0x180 fs/inode.c:211
new_inode_pseudo+0x14/0xe0 fs/inode.c:911
sock_alloc+0x3c/0x260 net/socket.c:547
__sock_create+0xba/0x740 net/socket.c:1240
sock_create net/socket.c:1316 [inline]
__sys_socket+0xef/0x200 net/socket.c:1346
__do_sys_socket net/socket.c:1355 [inline]
__se_sys_socket net/socket.c:1353 [inline]
__x64_sys_socket+0x6f/0xb0 net/socket.c:1353
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 20160:
__cache_free mm/slab.c:3503 [inline]
kmem_cache_free+0x7f/0x260 mm/slab.c:3765
destroy_inode+0xb9/0x110 fs/inode.c:268
iput_final fs/inode.c:1555 [inline]
iput+0x4f1/0x860 fs/inode.c:1581
dentry_unlink_inode+0x265/0x320 fs/dcache.c:374
__dentry_kill+0x3c0/0x640 fs/dcache.c:566
dentry_kill+0xc4/0x510 fs/dcache.c:685
dput+0x55f/0x640 fs/dcache.c:846
__fput+0x415/0x890 fs/file_table.c:291
task_work_run+0x148/0x1c0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:193 [inline]
exit_to_usermode_loop+0x251/0x2a0 arch/x86/entry/common.c:167
prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline]
syscall_return_slowpath arch/x86/entry/common.c:271 [inline]
do_syscall_64+0x538/0x620 arch/x86/entry/common.c:296
entry_SYSCALL_64_after_hwframe+0x49/0xbe
The buggy address belongs to the object at ffff88804d95da80
which belongs to the cache sock_inode_cache of size 992
The buggy address is located 264 bytes inside of
992-byte region [ffff88804d95da80, ffff88804d95de60)
The buggy address belongs to the page:
page:ffffea0001365740 count:1 mapcount:0 mapping:ffff88821b6c3000 index:0xffff88804d95dffd
flags: 0xfffe0000000100(slab)
raw: 00fffe0000000100 ffffea0002003588 ffffea0002006908 ffff88821b6c3000
raw: ffff88804d95dffd ffff88804d95d180 0000000100000003 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88804d95da80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
Memory state around the buggy address:
ffff88804d95db00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88804d95db80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
netlink: 4 bytes leftover after parsing attributes in process `syz-executor.3'.
ffff88804d95dc00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88804d95dc80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
syzbot
Oct 4, 2020, 9:01:06 AM10/4/20
to syzkaller...@googlegroups.com
syzbot suspects this issue was fixed by commit:
commit c5c6e00f6cc5d3ed0d6464b14e33f2f5c8505888
Author: Al Viro <vi...@zeniv.linux.org.uk>
Date: Wed Sep 2 15:30:48 2020 +0000
fix regression in "epoll: Keep a reference on files added to the check list"
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=114255eb900000
start commit: 2f166cdc Linux 4.14.196
git tree: linux-4.14.y
kernel config: https://syzkaller.appspot.com/x/.config?x=e2677667b00dfecb
dashboard link: https://syzkaller.appspot.com/bug?extid=6e72fe680f6f0744cc9d
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15470c59900000
If the result looks correct, please mark the issue as fixed by replying with:
#syz fix: fix regression in "epoll: Keep a reference on files added to the check list"
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
commit c5c6e00f6cc5d3ed0d6464b14e33f2f5c8505888
Author: Al Viro <vi...@zeniv.linux.org.uk>
Date: Wed Sep 2 15:30:48 2020 +0000
fix regression in "epoll: Keep a reference on files added to the check list"
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=114255eb900000
start commit: 2f166cdc Linux 4.14.196
git tree: linux-4.14.y
kernel config: https://syzkaller.appspot.com/x/.config?x=e2677667b00dfecb
dashboard link: https://syzkaller.appspot.com/bug?extid=6e72fe680f6f0744cc9d
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15470c59900000
If the result looks correct, please mark the issue as fixed by replying with:
#syz fix: fix regression in "epoll: Keep a reference on files added to the check list"
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
syzbot
Jan 1, 2021, 11:13:11 AM1/1/21
to syzkaller...@googlegroups.com
Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.
Crashes did not happen for a while, no reproducer and no activity.
Reply all
Reply to author
Forward
0 new messages