KASAN: slab-out-of-bounds Read in lock_sock_nested
7 views
Skip to first unread message
syzbot
Nov 12, 2020, 11:53:18 AM11/12/20
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 31acccdc Linux 4.19.157
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=140cad06500000
kernel config: https://syzkaller.appspot.com/x/.config?x=1f604e014c43fe09
dashboard link: https://syzkaller.appspot.com/bug?extid=7c5432d2d77d7eb25684
compiler: gcc (GCC) 10.1.0-syz 20200507
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+7c5432...@syzkaller.appspotmail.com
UDF-fs: warning (device loop2): udf_load_vrs: No anchor found
UDF-fs: Scanning with blocksize 2048 failed
UDF-fs: warning (device loop2): udf_load_vrs: No VRS found
UDF-fs: Scanning with blocksize 4096 failed
==================================================================
BUG: KASAN: slab-out-of-bounds in __lock_acquire+0x2cb4/0x3ff0 kernel/locking/lockdep.c:3294
Read of size 8 at addr ffff8880b34464e0 by task kworker/0:1/14
CPU: 0 PID: 14 Comm: kworker/0:1 Not tainted 4.19.157-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events l2cap_chan_timeout
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1fc/0x2fe lib/dump_stack.c:118
print_address_description.cold+0x54/0x219 mm/kasan/report.c:256
kasan_report_error.cold+0x8a/0x1c7 mm/kasan/report.c:354
kasan_report mm/kasan/report.c:412 [inline]
__asan_report_load8_noabort+0x88/0x90 mm/kasan/report.c:433
__lock_acquire+0x2cb4/0x3ff0 kernel/locking/lockdep.c:3294
lock_acquire+0x170/0x3c0 kernel/locking/lockdep.c:3907
__raw_spin_lock_bh include/linux/spinlock_api_smp.h:135 [inline]
_raw_spin_lock_bh+0x2f/0x40 kernel/locking/spinlock.c:168
spin_lock_bh include/linux/spinlock.h:334 [inline]
lock_sock_nested+0x3b/0x110 net/core/sock.c:2864
l2cap_sock_teardown_cb+0xa0/0x6d0 net/bluetooth/l2cap_sock.c:1340
l2cap_chan_del+0xbc/0xa50 net/bluetooth/l2cap_core.c:599
l2cap_chan_close+0x1b5/0x950 net/bluetooth/l2cap_core.c:757
l2cap_chan_timeout+0x17e/0x2f0 net/bluetooth/l2cap_core.c:430
process_one_work+0x864/0x1570 kernel/workqueue.c:2155
worker_thread+0x64c/0x1130 kernel/workqueue.c:2298
kthread+0x33f/0x460 kernel/kthread.c:259
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415
Allocated by task 16556:
kmem_cache_alloc+0x122/0x370 mm/slab.c:3559
getname_flags+0xce/0x590 fs/namei.c:140
user_path_at_empty+0x2a/0x50 fs/namei.c:2609
user_path_at include/linux/namei.h:57 [inline]
vfs_statx+0x113/0x210 fs/stat.c:185
vfs_lstat include/linux/fs.h:3138 [inline]
__do_sys_newlstat fs/stat.c:350 [inline]
__se_sys_newlstat+0x96/0x120 fs/stat.c:344
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 16556:
__cache_free mm/slab.c:3503 [inline]
kmem_cache_free+0x7f/0x260 mm/slab.c:3765
putname+0xe1/0x120 fs/namei.c:261
filename_lookup+0x3d0/0x5a0 fs/namei.c:2358
user_path_at include/linux/namei.h:57 [inline]
vfs_statx+0x113/0x210 fs/stat.c:185
vfs_lstat include/linux/fs.h:3138 [inline]
__do_sys_newlstat fs/stat.c:350 [inline]
__se_sys_newlstat+0x96/0x120 fs/stat.c:344
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
The buggy address belongs to the object at ffff8880b3446a40
which belongs to the cache names_cache of size 4096
The buggy address is located 1376 bytes to the left of
4096-byte region [ffff8880b3446a40, ffff8880b3447a40)
The buggy address belongs to the page:
page:ffffea0002cd1180 count:1 mapcount:0 mapping:ffff88813be83e40 index:0x0 compound_mapcount: 0
flags: 0xfff00000008100(slab|head)
raw: 00fff00000008100 ffffea000263b008 ffffea0002a4fa88 ffff88813be83e40
raw: 0000000000000000 ffff8880b3446a40 0000000100000001 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8880b3446380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8880b3446400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8880b3446480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff8880b3446500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8880b3446580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following issue on:
HEAD commit: 31acccdc Linux 4.19.157
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=140cad06500000
kernel config: https://syzkaller.appspot.com/x/.config?x=1f604e014c43fe09
dashboard link: https://syzkaller.appspot.com/bug?extid=7c5432d2d77d7eb25684
compiler: gcc (GCC) 10.1.0-syz 20200507
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+7c5432...@syzkaller.appspotmail.com
UDF-fs: warning (device loop2): udf_load_vrs: No anchor found
UDF-fs: Scanning with blocksize 2048 failed
UDF-fs: warning (device loop2): udf_load_vrs: No VRS found
UDF-fs: Scanning with blocksize 4096 failed
==================================================================
BUG: KASAN: slab-out-of-bounds in __lock_acquire+0x2cb4/0x3ff0 kernel/locking/lockdep.c:3294
Read of size 8 at addr ffff8880b34464e0 by task kworker/0:1/14
CPU: 0 PID: 14 Comm: kworker/0:1 Not tainted 4.19.157-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events l2cap_chan_timeout
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1fc/0x2fe lib/dump_stack.c:118
print_address_description.cold+0x54/0x219 mm/kasan/report.c:256
kasan_report_error.cold+0x8a/0x1c7 mm/kasan/report.c:354
kasan_report mm/kasan/report.c:412 [inline]
__asan_report_load8_noabort+0x88/0x90 mm/kasan/report.c:433
__lock_acquire+0x2cb4/0x3ff0 kernel/locking/lockdep.c:3294
lock_acquire+0x170/0x3c0 kernel/locking/lockdep.c:3907
__raw_spin_lock_bh include/linux/spinlock_api_smp.h:135 [inline]
_raw_spin_lock_bh+0x2f/0x40 kernel/locking/spinlock.c:168
spin_lock_bh include/linux/spinlock.h:334 [inline]
lock_sock_nested+0x3b/0x110 net/core/sock.c:2864
l2cap_sock_teardown_cb+0xa0/0x6d0 net/bluetooth/l2cap_sock.c:1340
l2cap_chan_del+0xbc/0xa50 net/bluetooth/l2cap_core.c:599
l2cap_chan_close+0x1b5/0x950 net/bluetooth/l2cap_core.c:757
l2cap_chan_timeout+0x17e/0x2f0 net/bluetooth/l2cap_core.c:430
process_one_work+0x864/0x1570 kernel/workqueue.c:2155
worker_thread+0x64c/0x1130 kernel/workqueue.c:2298
kthread+0x33f/0x460 kernel/kthread.c:259
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415
Allocated by task 16556:
kmem_cache_alloc+0x122/0x370 mm/slab.c:3559
getname_flags+0xce/0x590 fs/namei.c:140
user_path_at_empty+0x2a/0x50 fs/namei.c:2609
user_path_at include/linux/namei.h:57 [inline]
vfs_statx+0x113/0x210 fs/stat.c:185
vfs_lstat include/linux/fs.h:3138 [inline]
__do_sys_newlstat fs/stat.c:350 [inline]
__se_sys_newlstat+0x96/0x120 fs/stat.c:344
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 16556:
__cache_free mm/slab.c:3503 [inline]
kmem_cache_free+0x7f/0x260 mm/slab.c:3765
putname+0xe1/0x120 fs/namei.c:261
filename_lookup+0x3d0/0x5a0 fs/namei.c:2358
user_path_at include/linux/namei.h:57 [inline]
vfs_statx+0x113/0x210 fs/stat.c:185
vfs_lstat include/linux/fs.h:3138 [inline]
__do_sys_newlstat fs/stat.c:350 [inline]
__se_sys_newlstat+0x96/0x120 fs/stat.c:344
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
The buggy address belongs to the object at ffff8880b3446a40
which belongs to the cache names_cache of size 4096
The buggy address is located 1376 bytes to the left of
4096-byte region [ffff8880b3446a40, ffff8880b3447a40)
The buggy address belongs to the page:
page:ffffea0002cd1180 count:1 mapcount:0 mapping:ffff88813be83e40 index:0x0 compound_mapcount: 0
flags: 0xfff00000008100(slab|head)
raw: 00fff00000008100 ffffea000263b008 ffffea0002a4fa88 ffff88813be83e40
raw: 0000000000000000 ffff8880b3446a40 0000000100000001 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8880b3446380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8880b3446400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8880b3446480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff8880b3446500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8880b3446580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Jan 5, 2023, 10:59:25 AM1/5/23
to syzkaller...@googlegroups.com
Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.
Crashes did not happen for a while, no reproducer and no activity.
Reply all
Reply to author
Forward
0 new messages