Re: KASAN: use-after-free Read in lock_sock_nested
syzbot has found a reproducer for the following crash on: HEAD commit:3ea54d9b Merge tag 'docs-5.3-1' of git://git.lwn.net/linux git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=16a6656460 kernel config: https://syzkaller.appspot.com/x/.config?x=195ab3ca46c2e324 dashboard link: https://syzkaller.appspot.com/bug?extid=500c69d1e21d970e461b compiler: clang version 9.0.0 (/home/glider/llvm/clang 80fee25776c2fb61e74c1ecb1a523375c2500b69) syz repro: https://syzkaller.appspot.com/x/repro.syz?x=145318b460 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14ac7b7860 Bisection is inconclusive: the bug happens on the oldest tested release. bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=11c610a720 final crash:https://syzkaller.appspot.com/x/report.txt?x=13c610a720 console output: https://syzkaller.appspot.com/x/log.txt?x=15c610a720 IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+500c69d1e21d970e4...@syzkaller.appspotmail.com == BUG: KASAN: use-after-free in debug_spin_lock_before kernel/locking/spinlock_debug.c:83 [inline] BUG: KASAN: use-after-free in do_raw_spin_lock+0x295/0x3a0 kernel/locking/spinlock_debug.c:112 Read of size 4 at addr 88809f0acf0c by task syz-executor847/10804 CPU: 0 PID: 10804 Comm: syz-executor847 Not tainted 5.3.0-rc1+ #51 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1d8/0x2f8 lib/dump_stack.c:113 print_address_description+0x75/0x5b0 mm/kasan/report.c:351 __kasan_report+0x14b/0x1c0 mm/kasan/report.c:482 kasan_report+0x26/0x50 mm/kasan/common.c:612 __asan_report_load4_noabort+0x14/0x20 mm/kasan/generic_report.c:131 debug_spin_lock_before kernel/locking/spinlock_debug.c:83 [inline] do_raw_spin_lock+0x295/0x3a0 kernel/locking/spinlock_debug.c:112 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:136 [inline] _raw_spin_lock_bh+0x40/0x50 kernel/locking/spinlock.c:175 spin_lock_bh include/linux/spinlock.h:343 [inline] lock_sock_nested+0x45/0x120 net/core/sock.c:2917 lock_sock include/net/sock.h:1522 [inline] nr_getname+0x5b/0x220 net/netrom/af_netrom.c:838 __sys_accept4+0x63a/0x9a0 net/socket.c:1759 __do_sys_accept4 net/socket.c:1789 [inline] __se_sys_accept4 net/socket.c:1786 [inline] __x64_sys_accept4+0x9a/0xb0 net/socket.c:1786 do_syscall_64+0xfe/0x140 arch/x86/entry/common.c:296 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x4480e9 Code: e8 ac e7 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 4b 06 fc ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:7f43bf6ced88 EFLAGS: 0246 ORIG_RAX: 0120 RAX: ffda RBX: 006ddc38 RCX: 004480e9 RDX: RSI: 2b00 RDI: 0004 RBP: 006ddc30 R08: R09: R10: R11: 0246 R12: 006ddc3c R13: 7ffd18de174f R14: 7f43bf6cf9c0 R15: 006ddc3c Allocated by task 0: save_stack mm/kasan/common.c:69 [inline] set_track mm/kasan/common.c:77 [inline] __kasan_kmalloc+0x11c/0x1b0 mm/kasan/common.c:487 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:501 __do_kmalloc mm/slab.c:3655 [inline] __kmalloc+0x254/0x340 mm/slab.c:3664 kmalloc include/linux/slab.h:557 [inline] sk_prot_alloc+0xb0/0x290 net/core/sock.c:1603 sk_alloc+0x38/0x950 net/core/sock.c:1657 nr_make_new net/netrom/af_netrom.c:476 [inline] nr_rx_frame+0xabc/0x1e40 net/netrom/af_netrom.c:959 nr_loopback_timer+0x6a/0x140 net/netrom/nr_loopback.c:59 call_timer_fn+0xec/0x200 kernel/time/timer.c:1322 expire_timers kernel/time/timer.c:1366 [inline] __run_timers+0x7cd/0x9c0 kernel/time/timer.c:1685 run_timer_softirq+0x4a/0x90 kernel/time/timer.c:1698 __do_softirq+0x333/0x7c4 arch/x86/include/asm/paravirt.h:778 Freed by task 10804: save_stack mm/kasan/common.c:69 [inline] set_track mm/kasan/common.c:77 [inline] __kasan_slab_free+0x12a/0x1e0 mm/kasan/common.c:449 kasan_slab_free+0xe/0x10 mm/kasan/common.c:457 __cache_free mm/slab.c:3425 [inline] kfree+0x115/0x200 mm/slab.c:3756 sk_prot_free net/core/sock.c:1640 [inline] __sk_destruct+0x567/0x660 net/core/sock.c:1726 sk_destruct net/core/sock.c:1734 [inline] __sk_free+0x317/0x3e0 net/core/sock.c:1745 sk_free net/core/sock.c:1756 [inline] sock_put include/net/sock.h:1725 [inline] sock_efree+0x60/0x80 net/core/sock.c:2042 skb_release_head_state+0x100/0x220 net/core/skbuff.c:652 skb_release_all net/core/skbuff.c:663 [inline] __kfree_skb+0x25/0x170 net/core/skbuff.c:679 kfree_skb+0x6f/0xb0 net/core/skbuff.c:697 nr_accept+0x4ef/0x650 net/netrom/af_netrom.c:819 __sys_accept4+0x5bc/0x9a0 net/socket.c:1754 __do_sys_accept4
Re: KASAN: use-after-free Read in lock_sock_nested
syzbot has found a reproducer for the following crash on: HEAD commit:b3418f8bddf4 Add linux-next specific files for 20190214 git tree: linux-next console output: https://syzkaller.appspot.com/x/log.txt?x=14f6304740 kernel config: https://syzkaller.appspot.com/x/.config?x=8a3a37525a677c71 dashboard link: https://syzkaller.appspot.com/bug?extid=500c69d1e21d970e461b compiler: gcc (GCC) 9.0.0 20181231 (experimental) syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14b08da740 IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+500c69d1e21d970e4...@syzkaller.appspotmail.com == BUG: KASAN: use-after-free in __lock_acquire+0x3150/0x4710 kernel/locking/lockdep.c:3200 Read of size 8 at addr 8880195faa60 by task syz-executor.4/7495 CPU: 1 PID: 7495 Comm: syz-executor.4 Not tainted 5.0.0-rc6-next-20190214 #35 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x172/0x1f0 lib/dump_stack.c:113 print_address_description.cold+0x7c/0x20d mm/kasan/report.c:187 kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317 __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:132 __lock_acquire+0x3150/0x4710 kernel/locking/lockdep.c:3200 lock_acquire+0x16f/0x3f0 kernel/locking/lockdep.c:3833 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:135 [inline] _raw_spin_lock_bh+0x33/0x50 kernel/locking/spinlock.c:168 spin_lock_bh include/linux/spinlock.h:334 [inline] lock_sock_nested+0x41/0x120 net/core/sock.c:2878 lock_sock include/net/sock.h:1507 [inline] nr_accept+0x200/0x790 net/netrom/af_netrom.c:808 __sys_accept4+0x350/0x6a0 net/socket.c:1610 __do_sys_accept net/socket.c:1651 [inline] __se_sys_accept net/socket.c:1648 [inline] __x64_sys_accept+0x75/0xb0 net/socket.c:1648 do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x457e29 Code: ad b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:7f16cb51ec78 EFLAGS: 0246 ORIG_RAX: 002b RAX: ffda RBX: 0003 RCX: 00457e29 RDX: RSI: RDI: 0004 RBP: 0073bfa0 R08: R09: R10: R11: 0246 R12: 7f16cb51f6d4 R13: 004bdbf0 R14: 004cde80 R15: Allocated by task 7492: save_stack+0x45/0xd0 mm/kasan/common.c:75 set_track mm/kasan/common.c:87 [inline] __kasan_kmalloc mm/kasan/common.c:497 [inline] __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:470 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:511 __do_kmalloc mm/slab.c:3721 [inline] __kmalloc+0x15c/0x740 mm/slab.c:3730 kmalloc include/linux/slab.h:553 [inline] sk_prot_alloc+0x19c/0x2e0 net/core/sock.c:1573 sk_alloc+0x39/0xf70 net/core/sock.c:1627 nr_create+0xb9/0x5e0 net/netrom/af_netrom.c:436 __sock_create+0x3e6/0x750 net/socket.c:1297 sock_create net/socket.c:1337 [inline] __sys_socket+0x103/0x220 net/socket.c:1367 __do_sys_socket net/socket.c:1376 [inline] __se_sys_socket net/socket.c:1374 [inline] __x64_sys_socket+0x73/0xb0 net/socket.c:1374 do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 7491: save_stack+0x45/0xd0 mm/kasan/common.c:75 set_track mm/kasan/common.c:87 [inline] __kasan_slab_free+0x102/0x150 mm/kasan/common.c:459 kasan_slab_free+0xe/0x10 mm/kasan/common.c:467 __cache_free mm/slab.c:3491 [inline] kfree+0xcf/0x230 mm/slab.c:3816 sk_prot_free net/core/sock.c:1610 [inline] __sk_destruct+0x4f1/0x6d0 net/core/sock.c:1692 sk_destruct+0x7b/0x90 net/core/sock.c:1700 __sk_free+0xce/0x300 net/core/sock.c:1711 sk_free+0x42/0x50 net/core/sock.c:1722 sock_put include/net/sock.h:1708 [inline] nr_release+0x337/0x3c0 net/netrom/af_netrom.c:557 __sock_release+0xd3/0x250 net/socket.c:579 sock_close+0x1b/0x30 net/socket.c:1161 __fput+0x2e5/0x8d0 fs/file_table.c:278 fput+0x16/0x20 fs/file_table.c:309 task_work_run+0x14a/0x1c0 kernel/task_work.c:113 tracehook_notify_resume include/linux/tracehook.h:188 [inline] exit_to_usermode_loop+0x273/0x2c0 arch/x86/entry/common.c:166 prepare_exit_to_usermode arch/x86/entry/common.c:197 [inline] syscall_return_slowpath arch/x86/entry/common.c:268 [inline] do_syscall_64+0x52d/0x610 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe The buggy address belongs to the object at 8880195fa9c0 which belongs to the cache kmalloc-2k of size 2048 The buggy address is located 160 bytes inside of 2048-byte region [8880195fa9c0, 8880195fb1c0) The buggy address belongs to the page: page:ea657e80
KASAN: use-after-free Read in lock_sock_nested
Hello,
syzbot found the following crash on:
HEAD commit:e1ef035d272e Merge tag 'armsoc-defconfig' of git://git.ker..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1674b0bb40
kernel config: https://syzkaller.appspot.com/x/.config?x=9c6a26e22579190b
dashboard link: https://syzkaller.appspot.com/bug?extid=500c69d1e21d970e461b
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+500c69d1e21d970e4...@syzkaller.appspotmail.com
IPVS: ftp: loaded support on port[0] = 21
IPVS: ftp: loaded support on port[0] = 21
audit: type=1400 audit(1546374052.492:5134): avc: denied { map } for
pid=30025 comm="blkid" path="/sbin/blkid" dev="sda1" ino=16128
scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:file_t:s0
tclass=file permissive=1
==
BUG: KASAN: use-after-free in perf_trace_lock_acquire+0x62d/0x7d0
include/trace/events/lock.h:13
Read of size 8 at addr 88804fb90e78 by task syz-executor3/30043
CPU: 1 PID: 30043 Comm: syz-executor3 Not tainted 4.20.0+ #3
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1db/0x2d0 lib/dump_stack.c:113
print_address_description.cold+0x7c/0x20d mm/kasan/report.c:187
kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317
__asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:135
perf_trace_lock_acquire+0x62d/0x7d0 include/trace/events/lock.h:13
trace_lock_acquire include/trace/events/lock.h:13 [inline]
lock_acquire+0x371/0x570 kernel/locking/lockdep.c:3840
audit: type=1400 audit(1546374052.492:5135): avc: denied { map } for
pid=30025 comm="blkid" path="/lib/x86_64-linux-gnu/libblkid.so.1.1.0"
dev="sda1" ino=2825 scontext=system_u:system_r:kernel_t:s0
tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
__raw_spin_lock_bh include/linux/spinlock_api_smp.h:135 [inline]
_raw_spin_lock_bh+0x33/0x50 kernel/locking/spinlock.c:168
audit: type=1400 audit(1546374052.502:5136): avc: denied { map } for
pid=30024 comm="modprobe" path="/bin/kmod" dev="sda1" ino=1440
scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:file_t:s0
tclass=file permissive=1
spin_lock_bh include/linux/spinlock.h:334 [inline]
lock_sock_nested+0x41/0x120 net/core/sock.c:2780
lock_sock include/net/sock.h:1502 [inline]
nr_connect+0xc77/0x1380 net/netrom/af_netrom.c:743
__sys_connect+0x357/0x490 net/socket.c:1664
__do_sys_connect net/socket.c:1675 [inline]
__se_sys_connect net/socket.c:1672 [inline]
__x64_sys_connect+0x73/0xb0 net/socket.c:1672
do_syscall_64+0x1a3/0x800 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x457ec9
Code: 6d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
ff 0f 83 3b b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:7f3f0371fc78 EFLAGS: 0246 ORIG_RAX: 002a
RAX: ffda RBX: 0003 RCX: 00457ec9
RDX: 0048 RSI: 2000 RDI: 0004
RBP: 0073bfa0 R08: R09:
R10: R11: 0246 R12: 7f3f037206d4
R13: 004be35a R14: 004ce5e8 R15:
Allocated by task 30040:
save_stack+0x45/0xd0 mm/kasan/common.c:73
set_track mm/kasan/common.c:85 [inline]
kasan_kmalloc mm/kasan/common.c:482 [inline]
kasan_kmalloc+0xcf/0xe0 mm/kasan/common.c:455
__do_kmalloc mm/slab.c:3709 [inline]
__kmalloc+0x15c/0x740 mm/slab.c:3718
kmalloc include/linux/slab.h:550 [inline]
sk_prot_alloc+0x19c/0x2e0 net/core/sock.c:1477
sk_alloc+0xd7/0x1690 net/core/sock.c:1531
audit: type=1400 audit(1546374052.502:5137): avc: denied { map } for
pid=30024 comm="modprobe" path="/bin/kmod" dev="sda1" ino=1440
scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:file_t:s0
tclass=file permissive=1
nr_create+0xb9/0x5e0 net/netrom/af_netrom.c:436
__sock_create+0x532/0x930 net/socket.c:1277
sock_create net/socket.c:1317 [inline]
__sys_socket+0x106/0x260 net/socket.c:1347
__do_sys_socket net/socket.c:1356 [inline]
__se_sys_socket net/socket.c:1354 [inline]
__x64_sys_socket+0x73/0xb0 net/socket.c:1354
do_syscall_64+0x1a3/0x800 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 30035:
save_stack+0x45/0xd0 mm/kasan/common.c:73
set_track mm/kasan/common.c:85 [inline]
__kasan_slab_free+0x102/0x150 mm/kasan/common.c:444
kasan_slab_free+0xe/0x10 mm/kasan/common.c:452
__cache_free mm/slab.c:3485 [inline]
kfree+0xcf/0x230 mm/slab.c:3804
sk_prot_free net/core/sock.c:1514 [inline]
__sk_destruct+0x76d/0xa60 net/core/sock.c:1596
