Linux-RISC-V Archive on lore.kernel.org
 help / color / Atom feed
* [syzbot] KASAN: use-after-free Read in get_wchan
@ 2021-04-14  5:52 syzbot
  2021-04-14  5:56 ` Dmitry Vyukov
  0 siblings, 1 reply; 3+ messages in thread
From: syzbot @ 2021-04-14  5:52 UTC (permalink / raw)
  To: 0x7f454c46, akpm, aou, chenhuang5, linux-kernel, linux-riscv,
	palmer, paul.walmsley, syzkaller-bugs, wangkefeng.wang

Hello,

syzbot found the following issue on:

HEAD commit:    b2b3d18f riscv: Make NUMA depend on MMU
git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes
console output: https://syzkaller.appspot.com/x/log.txt?x=12b59d16d00000
kernel config:  https://syzkaller.appspot.com/x/.config?x=81b3e7c68dad6e
dashboard link: https://syzkaller.appspot.com/bug?extid=0806291048161061627c
userspace arch: riscv64

Unfortunately, I don't have any reproducer for this issue yet.

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+0806291048161061627c@syzkaller.appspotmail.com

==================================================================
BUG: KASAN: use-after-free in walk_stackframe arch/riscv/kernel/stacktrace.c:60 [inline]
BUG: KASAN: use-after-free in get_wchan+0x156/0x196 arch/riscv/kernel/stacktrace.c:136
Read of size 8 at addr ffffffe0058e3d90 by task syz-executor.0/4667

CPU: 1 PID: 4667 Comm: syz-executor.0 Not tainted 5.12.0-rc5-syzkaller-00721-gb2b3d18fc20e #0
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffe000009706>] walk_stackframe+0x0/0x23c arch/riscv/kernel/traps.c:201
[<ffffffe002a5f182>] dump_backtrace+0x40/0x4e arch/riscv/kernel/stacktrace.c:113
[<ffffffe002a5f1b2>] show_stack+0x22/0x2e arch/riscv/kernel/stacktrace.c:118
[<ffffffe002a68a3e>] __dump_stack lib/dump_stack.c:79 [inline]
[<ffffffe002a68a3e>] dump_stack+0x148/0x1d8 lib/dump_stack.c:120
[<ffffffe0003bc802>] print_address_description.constprop.0+0x52/0x31e mm/kasan/report.c:232
[<ffffffe0003bcd24>] __kasan_report mm/kasan/report.c:399 [inline]
[<ffffffe0003bcd24>] kasan_report+0x16e/0x18c mm/kasan/report.c:416
[<ffffffe0003bd588>] check_region_inline mm/kasan/generic.c:180 [inline]
[<ffffffe0003bd588>] __asan_load8+0x6e/0x80 mm/kasan/generic.c:253
[<ffffffe000009a98>] walk_stackframe arch/riscv/kernel/stacktrace.c:60 [inline]
[<ffffffe000009a98>] get_wchan+0x156/0x196 arch/riscv/kernel/stacktrace.c:136
[<ffffffe000553364>] proc_pid_wchan+0x48/0xa4 fs/proc/base.c:390
[<ffffffe000554458>] proc_single_show+0x9c/0x13c fs/proc/base.c:774
[<ffffffe00045000c>] seq_read_iter+0x2e0/0x8f2 fs/seq_file.c:227
[<ffffffe00045081e>] seq_read+0x200/0x298 fs/seq_file.c:159
[<ffffffe0003f9210>] vfs_read+0x108/0x2ac fs/read_write.c:494
[<ffffffe0003f9724>] ksys_read+0xb4/0x1b8 fs/read_write.c:634
[<ffffffe0003f9850>] __do_sys_read fs/read_write.c:644 [inline]
[<ffffffe0003f9850>] sys_read+0x28/0x36 fs/read_write.c:642
[<ffffffe000005572>] ret_from_syscall+0x0/0x2

The buggy address belongs to the page:
page:ffffffcf0216b8c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x85ae3
flags: 0xffe000000000000()
raw: 0ffe000000000000 ffffffcf0216b8c8 ffffffcf0216b8c8 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffffffe0058e3c80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffffffe0058e3d00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffffffe0058e3d80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                         ^
 ffffffe0058e3e00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffffffe0058e3e80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [syzbot] KASAN: use-after-free Read in get_wchan
  2021-04-14  5:52 [syzbot] KASAN: use-after-free Read in get_wchan syzbot
@ 2021-04-14  5:56 ` Dmitry Vyukov
  2021-05-06  6:14   ` Palmer Dabbelt
  0 siblings, 1 reply; 3+ messages in thread
From: Dmitry Vyukov @ 2021-04-14  5:56 UTC (permalink / raw)
  To: syzbot
  Cc: Dmitry Safonov, Andrew Morton, Albert Ou, chenhuang5, LKML,
	linux-riscv, Palmer Dabbelt, Paul Walmsley, syzkaller-bugs,
	Kefeng Wang

On Wed, Apr 14, 2021 at 7:52 AM syzbot
<syzbot+0806291048161061627c@syzkaller.appspotmail.com> wrote:
>
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit:    b2b3d18f riscv: Make NUMA depend on MMU
> git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes
> console output: https://syzkaller.appspot.com/x/log.txt?x=12b59d16d00000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=81b3e7c68dad6e
> dashboard link: https://syzkaller.appspot.com/bug?extid=0806291048161061627c
> userspace arch: riscv64
>
> Unfortunately, I don't have any reproducer for this issue yet.
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+0806291048161061627c@syzkaller.appspotmail.com
>
> ==================================================================
> BUG: KASAN: use-after-free in walk_stackframe arch/riscv/kernel/stacktrace.c:60 [inline]
> BUG: KASAN: use-after-free in get_wchan+0x156/0x196 arch/riscv/kernel/stacktrace.c:136
> Read of size 8 at addr ffffffe0058e3d90 by task syz-executor.0/4667
>
> CPU: 1 PID: 4667 Comm: syz-executor.0 Not tainted 5.12.0-rc5-syzkaller-00721-gb2b3d18fc20e #0
> Hardware name: riscv-virtio,qemu (DT)
> Call Trace:
> [<ffffffe000009706>] walk_stackframe+0x0/0x23c arch/riscv/kernel/traps.c:201
> [<ffffffe002a5f182>] dump_backtrace+0x40/0x4e arch/riscv/kernel/stacktrace.c:113
> [<ffffffe002a5f1b2>] show_stack+0x22/0x2e arch/riscv/kernel/stacktrace.c:118
> [<ffffffe002a68a3e>] __dump_stack lib/dump_stack.c:79 [inline]
> [<ffffffe002a68a3e>] dump_stack+0x148/0x1d8 lib/dump_stack.c:120
> [<ffffffe0003bc802>] print_address_description.constprop.0+0x52/0x31e mm/kasan/report.c:232
> [<ffffffe0003bcd24>] __kasan_report mm/kasan/report.c:399 [inline]
> [<ffffffe0003bcd24>] kasan_report+0x16e/0x18c mm/kasan/report.c:416
> [<ffffffe0003bd588>] check_region_inline mm/kasan/generic.c:180 [inline]
> [<ffffffe0003bd588>] __asan_load8+0x6e/0x80 mm/kasan/generic.c:253
> [<ffffffe000009a98>] walk_stackframe arch/riscv/kernel/stacktrace.c:60 [inline]

If it's walking the stack of another task, then it needs to use
READ_ONCE_NOCHECK. See x86/arm64/s390 for examples:
https://elixir.bootlin.com/linux/v5.12-rc7/A/ident/READ_ONCE_NOCHECK

> [<ffffffe000009a98>] get_wchan+0x156/0x196 arch/riscv/kernel/stacktrace.c:136
> [<ffffffe000553364>] proc_pid_wchan+0x48/0xa4 fs/proc/base.c:390
> [<ffffffe000554458>] proc_single_show+0x9c/0x13c fs/proc/base.c:774
> [<ffffffe00045000c>] seq_read_iter+0x2e0/0x8f2 fs/seq_file.c:227
> [<ffffffe00045081e>] seq_read+0x200/0x298 fs/seq_file.c:159
> [<ffffffe0003f9210>] vfs_read+0x108/0x2ac fs/read_write.c:494
> [<ffffffe0003f9724>] ksys_read+0xb4/0x1b8 fs/read_write.c:634
> [<ffffffe0003f9850>] __do_sys_read fs/read_write.c:644 [inline]
> [<ffffffe0003f9850>] sys_read+0x28/0x36 fs/read_write.c:642
> [<ffffffe000005572>] ret_from_syscall+0x0/0x2
>
> The buggy address belongs to the page:
> page:ffffffcf0216b8c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x85ae3
> flags: 0xffe000000000000()
> raw: 0ffe000000000000 ffffffcf0216b8c8 ffffffcf0216b8c8 0000000000000000
> raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
> page dumped because: kasan: bad access detected
>
> Memory state around the buggy address:
>  ffffffe0058e3c80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>  ffffffe0058e3d00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> >ffffffe0058e3d80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>                          ^
>  ffffffe0058e3e00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>  ffffffe0058e3e80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> ==================================================================
>
>
> ---
> This report is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@googlegroups.com.
>
> syzbot will keep track of this issue. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
>
> --
> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/0000000000009862e005bfe859c8%40google.com.

_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [syzbot] KASAN: use-after-free Read in get_wchan
  2021-04-14  5:56 ` Dmitry Vyukov
@ 2021-05-06  6:14   ` Palmer Dabbelt
  0 siblings, 0 replies; 3+ messages in thread
From: Palmer Dabbelt @ 2021-05-06  6:14 UTC (permalink / raw)
  To: dvyukov
  Cc: syzbot+0806291048161061627c, 0x7f454c46, akpm, aou, chenhuang5,
	linux-kernel, linux-riscv, Paul Walmsley, syzkaller-bugs,
	wangkefeng.wang

On Tue, 13 Apr 2021 22:56:13 PDT (-0700), dvyukov@google.com wrote:
> On Wed, Apr 14, 2021 at 7:52 AM syzbot
> <syzbot+0806291048161061627c@syzkaller.appspotmail.com> wrote:
>>
>> Hello,
>>
>> syzbot found the following issue on:
>>
>> HEAD commit:    b2b3d18f riscv: Make NUMA depend on MMU
>> git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes
>> console output: https://syzkaller.appspot.com/x/log.txt?x=12b59d16d00000
>> kernel config:  https://syzkaller.appspot.com/x/.config?x=81b3e7c68dad6e
>> dashboard link: https://syzkaller.appspot.com/bug?extid=0806291048161061627c
>> userspace arch: riscv64
>>
>> Unfortunately, I don't have any reproducer for this issue yet.
>>
>> IMPORTANT: if you fix the issue, please add the following tag to the commit:
>> Reported-by: syzbot+0806291048161061627c@syzkaller.appspotmail.com
>>
>> ==================================================================
>> BUG: KASAN: use-after-free in walk_stackframe arch/riscv/kernel/stacktrace.c:60 [inline]
>> BUG: KASAN: use-after-free in get_wchan+0x156/0x196 arch/riscv/kernel/stacktrace.c:136
>> Read of size 8 at addr ffffffe0058e3d90 by task syz-executor.0/4667
>>
>> CPU: 1 PID: 4667 Comm: syz-executor.0 Not tainted 5.12.0-rc5-syzkaller-00721-gb2b3d18fc20e #0
>> Hardware name: riscv-virtio,qemu (DT)
>> Call Trace:
>> [<ffffffe000009706>] walk_stackframe+0x0/0x23c arch/riscv/kernel/traps.c:201
>> [<ffffffe002a5f182>] dump_backtrace+0x40/0x4e arch/riscv/kernel/stacktrace.c:113
>> [<ffffffe002a5f1b2>] show_stack+0x22/0x2e arch/riscv/kernel/stacktrace.c:118
>> [<ffffffe002a68a3e>] __dump_stack lib/dump_stack.c:79 [inline]
>> [<ffffffe002a68a3e>] dump_stack+0x148/0x1d8 lib/dump_stack.c:120
>> [<ffffffe0003bc802>] print_address_description.constprop.0+0x52/0x31e mm/kasan/report.c:232
>> [<ffffffe0003bcd24>] __kasan_report mm/kasan/report.c:399 [inline]
>> [<ffffffe0003bcd24>] kasan_report+0x16e/0x18c mm/kasan/report.c:416
>> [<ffffffe0003bd588>] check_region_inline mm/kasan/generic.c:180 [inline]
>> [<ffffffe0003bd588>] __asan_load8+0x6e/0x80 mm/kasan/generic.c:253
>> [<ffffffe000009a98>] walk_stackframe arch/riscv/kernel/stacktrace.c:60 [inline]
>
> If it's walking the stack of another task, then it needs to use
> READ_ONCE_NOCHECK. See x86/arm64/s390 for examples:
> https://elixir.bootlin.com/linux/v5.12-rc7/A/ident/READ_ONCE_NOCHECK

Thanks, I just sent out a fix -- or at least hopefully one, I haven't 
actually tested it yet.

>
>> [<ffffffe000009a98>] get_wchan+0x156/0x196 arch/riscv/kernel/stacktrace.c:136
>> [<ffffffe000553364>] proc_pid_wchan+0x48/0xa4 fs/proc/base.c:390
>> [<ffffffe000554458>] proc_single_show+0x9c/0x13c fs/proc/base.c:774
>> [<ffffffe00045000c>] seq_read_iter+0x2e0/0x8f2 fs/seq_file.c:227
>> [<ffffffe00045081e>] seq_read+0x200/0x298 fs/seq_file.c:159
>> [<ffffffe0003f9210>] vfs_read+0x108/0x2ac fs/read_write.c:494
>> [<ffffffe0003f9724>] ksys_read+0xb4/0x1b8 fs/read_write.c:634
>> [<ffffffe0003f9850>] __do_sys_read fs/read_write.c:644 [inline]
>> [<ffffffe0003f9850>] sys_read+0x28/0x36 fs/read_write.c:642
>> [<ffffffe000005572>] ret_from_syscall+0x0/0x2
>>
>> The buggy address belongs to the page:
>> page:ffffffcf0216b8c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x85ae3
>> flags: 0xffe000000000000()
>> raw: 0ffe000000000000 ffffffcf0216b8c8 ffffffcf0216b8c8 0000000000000000
>> raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
>> page dumped because: kasan: bad access detected
>>
>> Memory state around the buggy address:
>>  ffffffe0058e3c80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>>  ffffffe0058e3d00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>> >ffffffe0058e3d80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>>                          ^
>>  ffffffe0058e3e00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>>  ffffffe0058e3e80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>> ==================================================================
>>
>>
>> ---
>> This report is generated by a bot. It may contain errors.
>> See https://goo.gl/tpsmEJ for more information about syzbot.
>> syzbot engineers can be reached at syzkaller@googlegroups.com.
>>
>> syzbot will keep track of this issue. See:
>> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
>>
>> --
>> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
>> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@googlegroups.com.
>> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/0000000000009862e005bfe859c8%40google.com.

_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, back to index

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-04-14  5:52 [syzbot] KASAN: use-after-free Read in get_wchan syzbot
2021-04-14  5:56 ` Dmitry Vyukov
2021-05-06  6:14   ` Palmer Dabbelt

Linux-RISC-V Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-riscv/0 linux-riscv/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-riscv linux-riscv/ https://lore.kernel.org/linux-riscv \
		linux-riscv@lists.infradead.org
	public-inbox-index linux-riscv

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.infradead.lists.linux-riscv


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git