All of lore.kernel.org
 help / color / mirror / Atom feed
From: Naresh Kamboju <naresh.kamboju@linaro.org>
To: virtualization@lists.linux-foundation.org,
	Linux-Next Mailing List <linux-next@vger.kernel.org>,
	open list <linux-kernel@vger.kernel.org>,
	lkft-triage@lists.linaro.org, linux-mm <linux-mm@kvack.org>
Cc: Guenter Roeck <linux@roeck-us.net>,
	Mat Martineau <mathew.j.martineau@linux.intel.com>,
	Xuan Zhuo <xuanzhuo@linux.alibaba.com>,
	Jason Wang <jasowang@redhat.com>,
	"Michael S. Tsirkin" <mst@redhat.com>,
	Eric Dumazet <edumazet@google.com>,
	Alan Bennett <alan.bennett@linaro.org>
Subject: BUG: KASAN: use-after-free in page_to_skb.isra.0+0x300/0x418
Date: Tue, 20 Apr 2021 19:15:14 +0530	[thread overview]
Message-ID: <CA+G9fYskw4f8GDnn+YngdXihFGs5vP5EekDNqECY7XKTd9cbRg@mail.gmail.com> (raw)

Following kernel BUG reported on qemu-arm64 running linux next 20210420
the config is enabled with KASAN.

steps to reproduce:
----------------------------
- Build the arm64 kernel with KASAN enabled.
- boot it with below command and you will notice
 /usr/bin/qemu-system-aarch64 -cpu host -machine virt,accel=kvm
-nographic -net nic,model=virtio,macaddr=BA:DD:AD:CC:09:10 -net tap -m
1024 -monitor none -kernel kernel/Image.gz --append "console=ttyAMA0
root=/dev/vda rw" -hda
rootfs/rpb-console-image-lkft-juno-20210414125244-133.rootfs.ext4 -m
4096 -smp 4 -nographic


crash log:
-------------
[   23.711647] BUG: KASAN: use-after-free in page_to_skb.isra.0+0x300/0x418
[   23.715349] Read of size 12 at addr ffff0000cf63f800 by task systemd/1
[   23.718528]
[   23.719331] CPU: 0 PID: 1 Comm: systemd Not tainted
5.12.0-rc8-next-20210420 #1
[   23.722836] Hardware name: linux,dummy-virt (DT)
[   23.725114] Call trace:
[   23.726345]  dump_backtrace+0x0/0x2f0
[   23.728167]  show_stack+0x20/0x30
[   23.729843]  dump_stack+0x120/0x19c
[   23.731576]  print_address_description.constprop.0+0x6c/0x30c
[   23.734357]  kasan_report+0x1e0/0x248
[   23.736155]  kasan_check_range+0x100/0x1b8
[   23.738183]  memcpy+0x54/0x100
[   23.739707]  page_to_skb.isra.0+0x300/0x418
[   23.742027]  receive_buf+0x113c/0x2118
[   23.743881]  virtnet_poll+0x28c/0x980
[   23.745712]  __napi_poll+0x64/0x2e8
[   23.747450]  net_rx_action+0x204/0x448
[   23.749315]  __do_softirq+0x20c/0x70c
[   23.751124]  irq_exit+0x184/0x190
[   23.752786]  __handle_domain_irq+0x8c/0xf0
[   23.754790]  gic_handle_irq+0xe4/0x128
[   23.756612]  el1_irq+0xb4/0x14c
[   23.758194]  copy_page+0x48/0xe8
[   23.759815]  copy_user_highpage+0x20/0x50
[   23.761791]  wp_page_copy+0x178/0xe00
[   23.763592]  do_wp_page+0x10c/0x890
[   23.765330]  __handle_mm_fault+0xbb8/0x1560
[   23.767381]  handle_mm_fault+0x160/0x360
[   23.769320]  do_page_fault+0x1d4/0x5b0
[   23.771122]  do_mem_abort+0x68/0x100
[   23.772849]  el0_da+0x3c/0x50
[   23.774295]  el0_sync_handler+0x88/0xb8
[   23.776133]  el0_sync+0x18c/0x1c0
[   23.777751]
[   23.778520] Unable to handle kernel paging request at virtual
address dead000000000418
[   23.782211] Mem abort info:
[   23.783557]   ESR = 0x96000004
[   23.785383]   EC = 0x25: DABT (current EL), IL = 32 bits
[   23.787934]   SET = 0, FnV = 0
[   23.789451]   EA = 0, S1PTW = 0
[   23.791000] Data abort info:
[   23.792418]   ISV = 0, ISS = 0x00000004
[   23.794293]   CM = 0, WnR = 0
[   23.795756] [dead000000000418] address between user and kernel address ranges
[   23.799181] Internal error: Oops: 96000004 [#1] PREEMPT SMP
[   23.801878] Modules linked in: rfkill crct10dif_ce fuse
[   23.804467] CPU: 0 PID: 1 Comm: systemd Not tainted
5.12.0-rc8-next-20210420 #1
[   23.807965] Hardware name: linux,dummy-virt (DT)
[   23.810215] pstate: 000000c5 (nzcv daIF -PAN -UAO -TCO BTYPE=--)
[   23.813114] pc : print_address_description.constprop.0+0xb4/0x30c
[   23.816067] lr : print_address_description.constprop.0+0x78/0x30c
[   23.819042] sp : ffff8000100077d0
[   23.820694] x29: ffff8000100077d0 x28: ffff0000cf63f80c
[   23.823289] x27: 000000000000780c x26: 000000000000000c
[   23.825884] x25: ffff0000c623e934 x24: ffff800015779000
[   23.828476] x23: ffff8000129f1888 x22: dead000000000400
[   23.831080] x21: 000000000000000c x20: fffffc00033d8fc0
[   23.833672] x19: ffff0000cf63f800 x18: 0000000000000000
[   23.836262] x17: 0000000000000000 x16: 0000000000000000
[   23.838866] x15: 0000000000000000 x14: 0000000000000000
[   23.841454] x13: 0000000000000000 x12: ffff60001b568d2c
[   23.844033] x11: 1fffe0001b568d2b x10: ffff60001b568d2b
[   23.846652] x9 : ffff8000101768f4 x8 : ffff0000dab4695b
[   23.849250] x7 : 0000000000000001 x6 : ffff0000dab46958
[   23.851827] x5 : 00009fffe4a972d5 x4 : dfff800000000000
[   23.854581] x3 : ffff000000000000 x2 : 00000000000cf63f
[   23.857178] x1 : 0000000000000000 x0 : dead000000000400
[   23.859756] Call trace:
[   23.860996]  print_address_description.constprop.0+0xb4/0x30c
[   23.863786]  kasan_report+0x1e0/0x248
[   23.865613]  kasan_check_range+0x100/0x1b8
[   23.867627]  memcpy+0x54/0x100
[   23.869179]  page_to_skb.isra.0+0x300/0x418
[   23.871234]  receive_buf+0x113c/0x2118
[   23.873092]  virtnet_poll+0x28c/0x980
[   23.874888]  __napi_poll+0x64/0x2e8
[   23.876609]  net_rx_action+0x204/0x448
[   23.878482]  __do_softirq+0x20c/0x70c
[   23.880278]  irq_exit+0x184/0x190
[   23.881950]  __handle_domain_irq+0x8c/0xf0
[   23.883952]  gic_handle_irq+0xe4/0x128
[   23.885800]  el1_irq+0xb4/0x14c
[   23.887344]  copy_page+0x48/0xe8
[   23.888964]  copy_user_highpage+0x20/0x50
[   23.890922]  wp_page_copy+0x178/0xe00
[   23.892753]  do_wp_page+0x10c/0x890
[   23.894491]  __handle_mm_fault+0xbb8/0x1560
[   23.896528]  handle_mm_fault+0x160/0x360
[   23.898475]  do_page_fault+0x1d4/0x5b0
[   23.900321]  do_mem_abort+0x68/0x100
[   23.902096]  el0_da+0x3c/0x50
[   23.903567]  el0_sync_handler+0x88/0xb8
[   23.905462]  el0_sync+0x18c/0x1c0
[   23.907123] Code: d2ffffe3 79405681 aa1603e0 d346fc42 (b9401ac6)
[   23.910073] ---[ end trace fd09da2bec4267c7 ]---
[   23.912299] Kernel panic - not syncing: Oops: Fatal exception in interrupt
[   23.915576] SMP: stopping secondary CPUs
[   23.917615] Kernel Offset: disabled
[   23.919303] CPU features: 0x00240002,20002004
[   23.921405] Memory Limit: none
[   23.922914] ---[ end Kernel panic - not syncing: Oops: Fatal
exception in interrupt ]---

Reported-by: Naresh Kamboju <naresh.kamboju@linaro.org>

Full test log:
------------------
https://lkft.validation.linaro.org/scheduler/job/2555059#L646
https://qa-reports.linaro.org/lkft/linux-next-master/build/next-20210420/testrun/4398870/suite/linux-log-parser/test/check-kernel-bug-2555059/log


metadata:
  git branch: master
  git repo: https://gitlab.com/Linaro/lkft/mirrors/next/linux-next
  git describe: next-20210420
  kernel-config: https://builds.tuxbuild.com/1rQkHtEDo0W1xQ7zqLlKg72HPil/config

--
Linaro LKFT
https://lkft.linaro.org

             reply	other threads:[~2021-04-20 13:45 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-04-20 13:45 Naresh Kamboju [this message]
2021-04-20 13:45 ` BUG: KASAN: use-after-free in page_to_skb.isra.0+0x300/0x418 Naresh Kamboju
2021-04-20 14:16 ` Eric Dumazet
2021-04-20 14:16   ` Eric Dumazet
2021-04-20 17:32   ` Naresh Kamboju
2021-04-20 17:32     ` Naresh Kamboju

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CA+G9fYskw4f8GDnn+YngdXihFGs5vP5EekDNqECY7XKTd9cbRg@mail.gmail.com \
    --to=naresh.kamboju@linaro.org \
    --cc=alan.bennett@linaro.org \
    --cc=edumazet@google.com \
    --cc=jasowang@redhat.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-mm@kvack.org \
    --cc=linux-next@vger.kernel.org \
    --cc=linux@roeck-us.net \
    --cc=lkft-triage@lists.linaro.org \
    --cc=mathew.j.martineau@linux.intel.com \
    --cc=mst@redhat.com \
    --cc=virtualization@lists.linux-foundation.org \
    --cc=xuanzhuo@linux.alibaba.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.