* KASAN: use-after-free Read in addr_handler
@ 2018-12-13 15:27 syzbot
2019-02-19 4:09 ` syzbot
2019-03-24 11:50 ` syzbot
0 siblings, 2 replies; 5+ messages in thread
From: syzbot @ 2018-12-13 15:27 UTC (permalink / raw)
To: danielj, dledford, jgg, leon, linux-kernel, linux-rdma, parav,
swise, syzkaller-bugs
Hello,
syzbot found the following crash on:
HEAD commit: f5d582777bcb Merge branch 'for-linus' of git://git.kernel...
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=14e556fb400000
kernel config: https://syzkaller.appspot.com/x/.config?x=c8970c89a0efbb23
dashboard link: https://syzkaller.appspot.com/bug?extid=b358909d8d01556b790b
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
userspace arch: i386
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+b358909d8d01556b790b@syzkaller.appspotmail.com
IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
8021q: adding VLAN 0 to HW filter on device team0
==================================================================
BUG: KASAN: use-after-free in __lock_acquire+0x36d9/0x4c20
kernel/locking/lockdep.c:3218
Read of size 8 at addr ffff88818e1b5050 by task kworker/u4:3/394
CPU: 1 PID: 394 Comm: kworker/u4:3 Not tainted 4.20.0-rc6+ #274
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Workqueue: ib_addr process_one_req
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x244/0x39d lib/dump_stack.c:113
print_address_description.cold.7+0x9/0x1ff mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report.cold.8+0x242/0x309 mm/kasan/report.c:412
__asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
__lock_acquire+0x36d9/0x4c20 kernel/locking/lockdep.c:3218
lock_acquire+0x1ed/0x520 kernel/locking/lockdep.c:3844
__mutex_lock_common kernel/locking/mutex.c:925 [inline]
__mutex_lock+0x166/0x16f0 kernel/locking/mutex.c:1072
mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:1087
addr_handler+0xed/0x420 drivers/infiniband/core/cma.c:2967
process_one_req+0x1a9/0x920 drivers/infiniband/core/addr.c:643
process_one_work+0xc90/0x1c40 kernel/workqueue.c:2153
worker_thread+0x17f/0x1390 kernel/workqueue.c:2296
kthread+0x35a/0x440 kernel/kthread.c:246
ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352
Allocated by task 25482:
save_stack+0x43/0xd0 mm/kasan/kasan.c:448
set_track mm/kasan/kasan.c:460 [inline]
kasan_kmalloc+0xc7/0xe0 mm/kasan/kasan.c:553
kmem_cache_alloc_trace+0x152/0x750 mm/slab.c:3620
kmalloc include/linux/slab.h:546 [inline]
kzalloc include/linux/slab.h:741 [inline]
__rdma_create_id+0xdf/0x650 drivers/infiniband/core/cma.c:876
ucma_create_id+0x39b/0x990 drivers/infiniband/core/ucma.c:506
ucma_write+0x365/0x460 drivers/infiniband/core/ucma.c:1689
__vfs_write+0x119/0x9f0 fs/read_write.c:485
vfs_write+0x1fc/0x560 fs/read_write.c:549
ksys_write+0x101/0x260 fs/read_write.c:598
__do_sys_write fs/read_write.c:610 [inline]
__se_sys_write fs/read_write.c:607 [inline]
__ia32_sys_write+0x71/0xb0 fs/read_write.c:607
do_syscall_32_irqs_on arch/x86/entry/common.c:326 [inline]
do_fast_syscall_32+0x34d/0xfb2 arch/x86/entry/common.c:397
entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139
Freed by task 25482:
save_stack+0x43/0xd0 mm/kasan/kasan.c:448
set_track mm/kasan/kasan.c:460 [inline]
__kasan_slab_free+0x102/0x150 mm/kasan/kasan.c:521
kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
__cache_free mm/slab.c:3498 [inline]
kfree+0xcf/0x230 mm/slab.c:3817
rdma_destroy_id+0x835/0xcc0 drivers/infiniband/core/cma.c:1846
ucma_destroy_id+0x3ae/0x550 drivers/infiniband/core/ucma.c:638
ucma_write+0x365/0x460 drivers/infiniband/core/ucma.c:1689
__vfs_write+0x119/0x9f0 fs/read_write.c:485
vfs_write+0x1fc/0x560 fs/read_write.c:549
ksys_write+0x101/0x260 fs/read_write.c:598
__do_sys_write fs/read_write.c:610 [inline]
__se_sys_write fs/read_write.c:607 [inline]
__ia32_sys_write+0x71/0xb0 fs/read_write.c:607
do_syscall_32_irqs_on arch/x86/entry/common.c:326 [inline]
do_fast_syscall_32+0x34d/0xfb2 arch/x86/entry/common.c:397
entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139
The buggy address belongs to the object at ffff88818e1b4cc0
which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 912 bytes inside of
2048-byte region [ffff88818e1b4cc0, ffff88818e1b54c0)
The buggy address belongs to the page:
page:ffffea0006386d00 count:1 mapcount:0 mapping:ffff8881da800c40 index:0x0
compound_mapcount: 0
flags: 0x2fffc0000010200(slab|head)
raw: 02fffc0000010200 ffffea00075df808 ffffea0006ffd708 ffff8881da800c40
raw: 0000000000000000 ffff88818e1b4440 0000000100000003 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88818e1b4f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88818e1b4f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff88818e1b5000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88818e1b5080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88818e1b5100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
syzbot.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: KASAN: use-after-free Read in addr_handler 2018-12-13 15:27 KASAN: use-after-free Read in addr_handler syzbot @ 2019-02-19 4:09 ` syzbot 2019-03-24 11:50 ` syzbot 1 sibling, 0 replies; 5+ messages in thread From: syzbot @ 2019-02-19 4:09 UTC (permalink / raw) To: danielj, dledford, jgg, leon, linux-kernel, linux-rdma, parav, swise, syzkaller-bugs syzbot has found a reproducer for the following crash on: HEAD commit: a3b22b9f11d9 Linux 5.0-rc7 git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=14c5df58c00000 kernel config: https://syzkaller.appspot.com/x/.config?x=7132344728e7ec3f dashboard link: https://syzkaller.appspot.com/bug?extid=b358909d8d01556b790b compiler: gcc (GCC) 9.0.0 20181231 (experimental) syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1493d4d0c00000 IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+b358909d8d01556b790b@syzkaller.appspotmail.com ================================================================== BUG: KASAN: use-after-free in __lock_acquire+0x30e0/0x4700 kernel/locking/lockdep.c:3215 Read of size 8 at addr ffff88808bfc1150 by task kworker/u4:5/7685 CPU: 1 PID: 7685 Comm: kworker/u4:5 Not tainted 5.0.0-rc7 #77 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: ib_addr process_one_req Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x172/0x1f0 lib/dump_stack.c:113 print_address_description.cold+0x7c/0x20d mm/kasan/report.c:187 kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317 __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:135 __lock_acquire+0x30e0/0x4700 kernel/locking/lockdep.c:3215 lock_acquire+0x16f/0x3f0 kernel/locking/lockdep.c:3841 __mutex_lock_common kernel/locking/mutex.c:925 [inline] __mutex_lock+0xf7/0x1310 kernel/locking/mutex.c:1072 mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:1087 addr_handler+0xa5/0x300 drivers/infiniband/core/cma.c:2970 process_one_req+0x109/0x680 drivers/infiniband/core/addr.c:643 process_one_work+0x98e/0x1790 kernel/workqueue.c:2173 worker_thread+0x98/0xe40 kernel/workqueue.c:2319 kthread+0x357/0x430 kernel/kthread.c:246 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352 Allocated by task 27464: save_stack+0x45/0xd0 mm/kasan/common.c:73 set_track mm/kasan/common.c:85 [inline] __kasan_kmalloc mm/kasan/common.c:496 [inline] __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:469 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:504 kmem_cache_alloc_trace+0x151/0x760 mm/slab.c:3609 kmalloc include/linux/slab.h:545 [inline] kzalloc include/linux/slab.h:740 [inline] __rdma_create_id+0x5f/0x4e0 drivers/infiniband/core/cma.c:879 ucma_create_id+0x1de/0x640 drivers/infiniband/core/ucma.c:506 ucma_write+0x2da/0x3c0 drivers/infiniband/core/ucma.c:1689 __vfs_write+0x116/0x8e0 fs/read_write.c:485 vfs_write+0x20c/0x580 fs/read_write.c:549 ksys_write+0xea/0x1f0 fs/read_write.c:598 __do_sys_write fs/read_write.c:610 [inline] __se_sys_write fs/read_write.c:607 [inline] __x64_sys_write+0x73/0xb0 fs/read_write.c:607 do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 27463: save_stack+0x45/0xd0 mm/kasan/common.c:73 set_track mm/kasan/common.c:85 [inline] __kasan_slab_free+0x102/0x150 mm/kasan/common.c:458 kasan_slab_free+0xe/0x10 mm/kasan/common.c:466 __cache_free mm/slab.c:3487 [inline] kfree+0xcf/0x230 mm/slab.c:3806 rdma_destroy_id+0x723/0xab0 drivers/infiniband/core/cma.c:1849 ucma_close+0x115/0x320 drivers/infiniband/core/ucma.c:1770 __fput+0x2df/0x8d0 fs/file_table.c:278 ____fput+0x16/0x20 fs/file_table.c:309 task_work_run+0x14a/0x1c0 kernel/task_work.c:113 tracehook_notify_resume include/linux/tracehook.h:188 [inline] exit_to_usermode_loop+0x273/0x2c0 arch/x86/entry/common.c:166 prepare_exit_to_usermode arch/x86/entry/common.c:197 [inline] syscall_return_slowpath arch/x86/entry/common.c:268 [inline] do_syscall_64+0x52d/0x610 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe The buggy address belongs to the object at ffff88808bfc0dc0 which belongs to the cache kmalloc-2k of size 2048 The buggy address is located 912 bytes inside of 2048-byte region [ffff88808bfc0dc0, ffff88808bfc15c0) The buggy address belongs to the page: page:ffffea00022ff000 count:1 mapcount:0 mapping:ffff88812c3f0c40 index:0x0 compound_mapcount: 0 flags: 0x1fffc0000010200(slab|head) raw: 01fffc0000010200 ffffea000281a888 ffffea0002999e08 ffff88812c3f0c40 raw: 0000000000000000 ffff88808bfc0540 0000000100000003 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88808bfc1000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88808bfc1080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > ffff88808bfc1100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88808bfc1180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88808bfc1200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: KASAN: use-after-free Read in addr_handler 2018-12-13 15:27 KASAN: use-after-free Read in addr_handler syzbot 2019-02-19 4:09 ` syzbot @ 2019-03-24 11:50 ` syzbot 2019-03-24 13:20 ` Thomas Gleixner 1 sibling, 1 reply; 5+ messages in thread From: syzbot @ 2019-03-24 11:50 UTC (permalink / raw) To: alexander.h.duyck, amritha.nambiar, andrew, avagin, danielj, davem, dledford, dmitry.torokhov, gregory.clement, jason, jeffrey.t.kirsher, jgg, joe, leon, linux-arm-kernel, linux-kernel, linux-rdma, marc.zyngier, miquel.raynal, netdev, parav, sebastian.hesselbarth, swise, syzkaller-bugs, tglx, tyhicks syzbot has bisected this bug to: commit 4f4c867c91e644fc9d461c8c5cf2f09d6d5bcac2 Author: Miquel Raynal <miquel.raynal@bootlin.com> Date: Tue Oct 2 08:54:16 2018 +0000 irqchip/irq-mvebu-icu: Support ICU subnodes bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=163319df200000 start commit: a3b22b9f Linux 5.0-rc7 git tree: upstream final crash: https://syzkaller.appspot.com/x/report.txt?x=153319df200000 console output: https://syzkaller.appspot.com/x/log.txt?x=113319df200000 kernel config: https://syzkaller.appspot.com/x/.config?x=7132344728e7ec3f dashboard link: https://syzkaller.appspot.com/bug?extid=b358909d8d01556b790b syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1493d4d0c00000 Reported-by: syzbot+b358909d8d01556b790b@syzkaller.appspotmail.com Fixes: 4f4c867c91e6 ("irqchip/irq-mvebu-icu: Support ICU subnodes") For information about bisection process see: https://goo.gl/tpsmEJ#bisection ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: KASAN: use-after-free Read in addr_handler 2019-03-24 11:50 ` syzbot @ 2019-03-24 13:20 ` Thomas Gleixner 2019-03-26 9:56 ` Dmitry Vyukov 0 siblings, 1 reply; 5+ messages in thread From: Thomas Gleixner @ 2019-03-24 13:20 UTC (permalink / raw) To: syzbot Cc: alexander.h.duyck, amritha.nambiar, andrew, avagin, danielj, davem, dledford, dmitry.torokhov, gregory.clement, jason, jeffrey.t.kirsher, jgg, joe, leon, linux-arm-kernel, linux-kernel, linux-rdma, marc.zyngier, miquel.raynal, netdev, parav, sebastian.hesselbarth, swise, syzkaller-bugs, tyhicks On Sun, 24 Mar 2019, syzbot wrote: > syzbot has bisected this bug to: > > commit 4f4c867c91e644fc9d461c8c5cf2f09d6d5bcac2 > Author: Miquel Raynal <miquel.raynal@bootlin.com> > Date: Tue Oct 2 08:54:16 2018 +0000 > > irqchip/irq-mvebu-icu: Support ICU subnodes Yet another bogus bisect result. Why? That code is ARM only and cannot influence x86 by any means. Thanks, tglx ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: KASAN: use-after-free Read in addr_handler 2019-03-24 13:20 ` Thomas Gleixner @ 2019-03-26 9:56 ` Dmitry Vyukov 0 siblings, 0 replies; 5+ messages in thread From: Dmitry Vyukov @ 2019-03-26 9:56 UTC (permalink / raw) To: Thomas Gleixner Cc: syzbot, Alexander Duyck, amritha.nambiar, andrew, avagin, danielj, David Miller, Doug Ledford, Dmitry Torokhov, gregory.clement, jason, jeffrey.t.kirsher, Jason Gunthorpe, Joe Perches, Leon Romanovsky, Linux ARM, LKML, linux-rdma, Marc Zyngier, miquel.raynal, netdev, parav, sebastian.hesselbarth, swise, syzkaller-bugs, tyhicks On Sun, Mar 24, 2019 at 2:21 PM Thomas Gleixner <tglx@linutronix.de> wrote: > > On Sun, 24 Mar 2019, syzbot wrote: > > > syzbot has bisected this bug to: > > > > commit 4f4c867c91e644fc9d461c8c5cf2f09d6d5bcac2 > > Author: Miquel Raynal <miquel.raynal@bootlin.com> > > Date: Tue Oct 2 08:54:16 2018 +0000 > > > > irqchip/irq-mvebu-icu: Support ICU subnodes > > Yet another bogus bisect result. Why? That code is ARM only and cannot > influence x86 by any means. From the bisection log it seems the process diverged to a different bug mid way ("WARNING: ODEBUG bug in netdev_freemem"). ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2019-03-26 9:56 UTC | newest] Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2018-12-13 15:27 KASAN: use-after-free Read in addr_handler syzbot 2019-02-19 4:09 ` syzbot 2019-03-24 11:50 ` syzbot 2019-03-24 13:20 ` Thomas Gleixner 2019-03-26 9:56 ` Dmitry Vyukov
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).