Re: net: icmp vs udp_poll race?

2017-06-03 Thread Eric Dumazet 
On Fri, Jun 2, 2017 at 10:17 PM, Levin, Alexander (Sasha Levin)
 wrote:
> Hi all,
>
> On the latest linux-next I'm seeing issues that look like an icmp
> socket destruction racing with poll(). It manifests in two ways, first:
>
> BUG: KASAN: slab-out-of-bounds in skb_queue_empty include/linux/skbuff.h:1197 
> [inline]
> BUG: KASAN: slab-out-of-bounds in udp_poll+0x5fb/0x6f0 net/ipv4/udp.c:2443
> Read of size 8 at addr 88006941a200 by task syz-executor5/9052
>
> CPU: 2 PID: 9052 Comm: syz-executor5 Not tainted 4.12.0-rc3-next-20170601+ #47
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.1-1ubuntu1 
> 04/01/2014
> Call Trace:
>  __dump_stack lib/dump_stack.c:16 [inline]
>  dump_stack+0x115/0x1d1 lib/dump_stack.c:52
>  print_address_description+0xe7/0x370 mm/kasan/report.c:252
>  kasan_report_error mm/kasan/report.c:351 [inline]
>  kasan_report+0x1b0/0x450 mm/kasan/report.c:408
>  __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:429
>  skb_queue_empty include/linux/skbuff.h:1197 [inline]
>  udp_poll+0x5fb/0x6f0 net/ipv4/udp.c:2443
>  sock_poll+0x169/0x410 net/socket.c:1101
>  do_pollfd fs/select.c:825 [inline]
>  do_poll fs/select.c:875 [inline]
>  do_sys_poll+0x7a7/0x13b0 fs/select.c:969
>  SYSC_poll fs/select.c:1027 [inline]
>  SyS_poll+0x106/0x460 fs/select.c:1015
>  do_syscall_64+0x275/0x810 arch/x86/entry/common.c:284
>  entry_SYSCALL64_slow_path+0x25/0x25
> RIP: 0033:0x451429
> RSP: 002b:7fee2df0dc08 EFLAGS: 0216 ORIG_RAX: 0007
> RAX: ffda RBX: 2fb0 RCX: 00451429
> RDX: 001f RSI: 000a RDI: 2fb0
> RBP: 00718000 R08:  R09: 
> R10:  R11: 0216 R12: 
> R13: 000a R14: 03c4 R15: 7fee2df0e700
>
> Allocated by task 9052:
>  save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
>  save_stack+0x43/0xd0 mm/kasan/kasan.c:513
>  set_track mm/kasan/kasan.c:525 [inline]
>  kasan_kmalloc+0xae/0xe0 mm/kasan/kasan.c:617
>  kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:555
>  slab_post_alloc_hook mm/slab.h:456 [inline]
>  slab_alloc_node mm/slub.c:2712 [inline]
>  slab_alloc mm/slub.c:2720 [inline]
>  kmem_cache_alloc+0x12f/0x610 mm/slub.c:2725
>  sk_prot_alloc+0x6e/0x300 net/core/sock.c:1422
>  sk_alloc+0x82/0x880 net/core/sock.c:1484
>  inet_create+0x519/0x11b0 net/ipv4/af_inet.c:318
>  __sock_create+0x52e/0xa50 net/socket.c:1249
>  sock_create net/socket.c:1289 [inline]
>  SYSC_socket net/socket.c:1319 [inline]
>  SyS_socket+0x105/0x260 net/socket.c:1299
>  do_syscall_64+0x275/0x810 arch/x86/entry/common.c:284
>  return_from_SYSCALL_64+0x0/0x7a
>
> Freed by task 8076:
>  save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
>  save_stack+0x43/0xd0 mm/kasan/kasan.c:513
>  set_track mm/kasan/kasan.c:525 [inline]
>  kasan_slab_free+0x72/0xc0 mm/kasan/kasan.c:590
>  slab_free_hook mm/slub.c:1357 [inline]
>  slab_free_freelist_hook mm/slub.c:1379 [inline]
>  slab_free mm/slub.c:2955 [inline]
>  kmem_cache_free+0xec/0x630 mm/slub.c:2977
>  sk_prot_free net/core/sock.c:1465 [inline]
>  __sk_destruct+0x6a1/0xb40 net/core/sock.c:1546
>  sk_destruct+0x57/0xb0 net/core/sock.c:1554
>  __sk_free+0x62/0x260 net/core/sock.c:1562
>  sk_free+0x28/0x40 net/core/sock.c:1573
>  sock_put include/net/sock.h:1655 [inline]
>  sk_common_release+0x241/0x3c0 net/core/sock.c:2902
>  ping_close+0x15/0x20 net/ipv4/ping.c:295
>  inet_release+0x108/0x240 net/ipv4/af_inet.c:425
>  sock_release+0x96/0x260 net/socket.c:597
>  SYSC_socketpair net/socket.c:1436 [inline]
>  SyS_socketpair+0x522/0x710 net/socket.c:1340
>  do_syscall_64+0x275/0x810 arch/x86/entry/common.c:284
>  return_from_SYSCALL_64+0x0/0x7a
>
> The buggy address belongs to the object at 880069419c40
>  which belongs to the cache PING of size 1392
> The buggy address is located 80 bytes to the right of
>  1392-byte region [880069419c40, 88006941a1b0)
> The buggy address belongs to the page:
> page:ea0001a50600 count:1 mapcount:0 mapping:  (null) 
> index:0x88006941d440 compound_mapcount: 0
> flags: 0x5fffc008100(slab|head)
> raw: 05fffc008100  88006941d440 000100120005
> raw: 88006c5ba490 88006c5ba490 88006b197c40 
> page dumped because: kasan: bad access detected
>
> Memory state around the buggy address:
>  88006941a100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>  88006941a180: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
>>88006941a200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>^
>  88006941a280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>  88006941a300: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
>
> And second:
>
> INFO: trying to register non-static key.
> the code is fine but needs lockdep annotation.
> turning off the locking correctness validator.
> CPU: 3 PID: 12664

net: icmp vs udp_poll race?

2017-06-02 Thread Levin, Alexander (Sasha Levin) 
Hi all,

On the latest linux-next I'm seeing issues that look like an icmp
socket destruction racing with poll(). It manifests in two ways, first:

BUG: KASAN: slab-out-of-bounds in skb_queue_empty include/linux/skbuff.h:1197 
[inline]
BUG: KASAN: slab-out-of-bounds in udp_poll+0x5fb/0x6f0 net/ipv4/udp.c:2443
Read of size 8 at addr 88006941a200 by task syz-executor5/9052

CPU: 2 PID: 9052 Comm: syz-executor5 Not tainted 4.12.0-rc3-next-20170601+ #47
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.1-1ubuntu1 
04/01/2014
Call Trace:
 __dump_stack lib/dump_stack.c:16 [inline]
 dump_stack+0x115/0x1d1 lib/dump_stack.c:52
 print_address_description+0xe7/0x370 mm/kasan/report.c:252
 kasan_report_error mm/kasan/report.c:351 [inline]
 kasan_report+0x1b0/0x450 mm/kasan/report.c:408
 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:429
 skb_queue_empty include/linux/skbuff.h:1197 [inline]
 udp_poll+0x5fb/0x6f0 net/ipv4/udp.c:2443
 sock_poll+0x169/0x410 net/socket.c:1101
 do_pollfd fs/select.c:825 [inline]
 do_poll fs/select.c:875 [inline]
 do_sys_poll+0x7a7/0x13b0 fs/select.c:969
 SYSC_poll fs/select.c:1027 [inline]
 SyS_poll+0x106/0x460 fs/select.c:1015
 do_syscall_64+0x275/0x810 arch/x86/entry/common.c:284
 entry_SYSCALL64_slow_path+0x25/0x25
RIP: 0033:0x451429
RSP: 002b:7fee2df0dc08 EFLAGS: 0216 ORIG_RAX: 0007
RAX: ffda RBX: 2fb0 RCX: 00451429
RDX: 001f RSI: 000a RDI: 2fb0
RBP: 00718000 R08:  R09: 
R10:  R11: 0216 R12: 
R13: 000a R14: 03c4 R15: 7fee2df0e700

Allocated by task 9052:
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
 save_stack+0x43/0xd0 mm/kasan/kasan.c:513
 set_track mm/kasan/kasan.c:525 [inline]
 kasan_kmalloc+0xae/0xe0 mm/kasan/kasan.c:617
 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:555
 slab_post_alloc_hook mm/slab.h:456 [inline]
 slab_alloc_node mm/slub.c:2712 [inline]
 slab_alloc mm/slub.c:2720 [inline]
 kmem_cache_alloc+0x12f/0x610 mm/slub.c:2725
 sk_prot_alloc+0x6e/0x300 net/core/sock.c:1422
 sk_alloc+0x82/0x880 net/core/sock.c:1484
 inet_create+0x519/0x11b0 net/ipv4/af_inet.c:318
 __sock_create+0x52e/0xa50 net/socket.c:1249
 sock_create net/socket.c:1289 [inline]
 SYSC_socket net/socket.c:1319 [inline]
 SyS_socket+0x105/0x260 net/socket.c:1299
 do_syscall_64+0x275/0x810 arch/x86/entry/common.c:284
 return_from_SYSCALL_64+0x0/0x7a

Freed by task 8076:
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
 save_stack+0x43/0xd0 mm/kasan/kasan.c:513
 set_track mm/kasan/kasan.c:525 [inline]
 kasan_slab_free+0x72/0xc0 mm/kasan/kasan.c:590
 slab_free_hook mm/slub.c:1357 [inline]
 slab_free_freelist_hook mm/slub.c:1379 [inline]
 slab_free mm/slub.c:2955 [inline]
 kmem_cache_free+0xec/0x630 mm/slub.c:2977
 sk_prot_free net/core/sock.c:1465 [inline]
 __sk_destruct+0x6a1/0xb40 net/core/sock.c:1546
 sk_destruct+0x57/0xb0 net/core/sock.c:1554
 __sk_free+0x62/0x260 net/core/sock.c:1562
 sk_free+0x28/0x40 net/core/sock.c:1573
 sock_put include/net/sock.h:1655 [inline]
 sk_common_release+0x241/0x3c0 net/core/sock.c:2902
 ping_close+0x15/0x20 net/ipv4/ping.c:295
 inet_release+0x108/0x240 net/ipv4/af_inet.c:425
 sock_release+0x96/0x260 net/socket.c:597
 SYSC_socketpair net/socket.c:1436 [inline]
 SyS_socketpair+0x522/0x710 net/socket.c:1340
 do_syscall_64+0x275/0x810 arch/x86/entry/common.c:284
 return_from_SYSCALL_64+0x0/0x7a

The buggy address belongs to the object at 880069419c40
 which belongs to the cache PING of size 1392
The buggy address is located 80 bytes to the right of
 1392-byte region [880069419c40, 88006941a1b0)
The buggy address belongs to the page:
page:ea0001a50600 count:1 mapcount:0 mapping:  (null) 
index:0x88006941d440 compound_mapcount: 0
flags: 0x5fffc008100(slab|head)
raw: 05fffc008100  88006941d440 000100120005
raw: 88006c5ba490 88006c5ba490 88006b197c40 
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 88006941a100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 88006941a180: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
>88006941a200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
   ^
 88006941a280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 88006941a300: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb

And second:

INFO: trying to register non-static key.
the code is fine but needs lockdep annotation.
turning off the locking correctness validator.
CPU: 3 PID: 12664 Comm: syz-executor7 Not tainted 4.12.0-rc3-next-20170601+ #47
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.1-1ubuntu1 
04/01/2014
Call Trace:
 __dump_stack lib/dump_stack.c:16 [inline]
 dump_stack+0x115/0x1d1 lib/dump_stack.c:52
 register_lock_class+0x5a5/0x2ce0