Re: KASAN: use-after-free Read in nr_rx_frame (2)
syzbot has found a reproducer for the following crash on: HEAD commit:629f8205 Merge tag 'for-linus-20190730' of git://git.kerne.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=1585606260 kernel config: https://syzkaller.appspot.com/x/.config?x=e397351d2615e10 dashboard link: https://syzkaller.appspot.com/bug?extid=701728447042217b67c1 compiler: clang version 9.0.0 (/home/glider/llvm/clang 80fee25776c2fb61e74c1ecb1a523375c2500b69) syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14a6e00860 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11937d9260 IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+701728447042217b6...@syzkaller.appspotmail.com == BUG: KASAN: use-after-free in atomic_read include/asm-generic/atomic-instrumented.h:26 [inline] BUG: KASAN: use-after-free in refcount_inc_not_zero_checked+0x7c/0x280 lib/refcount.c:123 Read of size 4 at addr 8880893ccec0 by task swapper/0/0 CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.3.0-rc2+ #56 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1d8/0x2f8 lib/dump_stack.c:113 print_address_description+0x75/0x5b0 mm/kasan/report.c:351 __kasan_report+0x14b/0x1c0 mm/kasan/report.c:482 kasan_report+0x26/0x50 mm/kasan/common.c:612 check_memory_region_inline mm/kasan/generic.c:182 [inline] check_memory_region+0x2cf/0x2e0 mm/kasan/generic.c:192 __kasan_check_read+0x11/0x20 mm/kasan/common.c:92 atomic_read include/asm-generic/atomic-instrumented.h:26 [inline] refcount_inc_not_zero_checked+0x7c/0x280 lib/refcount.c:123 refcount_inc_checked+0x15/0x50 lib/refcount.c:156 sock_hold include/net/sock.h:649 [inline] sk_add_node include/net/sock.h:701 [inline] nr_insert_socket net/netrom/af_netrom.c:137 [inline] nr_rx_frame+0x17bc/0x1e40 net/netrom/af_netrom.c:1023 nr_loopback_timer+0x6a/0x140 net/netrom/nr_loopback.c:59 call_timer_fn+0xec/0x200 kernel/time/timer.c:1322 expire_timers kernel/time/timer.c:1366 [inline] __run_timers+0x7cd/0x9c0 kernel/time/timer.c:1685 run_timer_softirq+0x4a/0x90 kernel/time/timer.c:1698 __do_softirq+0x333/0x7c4 arch/x86/include/asm/paravirt.h:778 invoke_softirq kernel/softirq.c:373 [inline] irq_exit+0x227/0x230 kernel/softirq.c:413 exiting_irq arch/x86/include/asm/apic.h:537 [inline] smp_apic_timer_interrupt+0x113/0x280 arch/x86/kernel/apic/apic.c:1095 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:828 RIP: 0010:native_safe_halt+0xe/0x10 arch/x86/include/asm/irqflags.h:61 Code: 01 fa eb ae 89 d9 80 e1 07 80 c1 03 38 c1 7c ba 48 89 df e8 74 3b 01 fa eb b0 90 90 e9 07 00 00 00 0f 00 2d d6 36 51 00 fb f4 90 e9 07 00 00 00 0f 00 2d c6 36 51 00 f4 c3 90 90 55 48 89 e5 RSP: 0018:88c07cd8 EFLAGS: 0286 ORIG_RAX: ff13 RAX: 111950f3 RBX: 88c75a00 RCX: dc00 RDX: RSI: 812d2b3a RDI: 87b14d9a RBP: 88c07ce0 R08: 817d8974 R09: fbfff118eb41 R10: fbfff118eb41 R11: R12: R13: 1118eb40 R14: dc00 R15: dc00 arch_cpu_idle+0xa/0x10 arch/x86/kernel/process.c:571 default_idle_call+0x59/0xa0 kernel/sched/idle.c:94 cpuidle_idle_call kernel/sched/idle.c:154 [inline] do_idle+0x180/0x780 kernel/sched/idle.c:263 cpu_startup_entry+0x25/0x30 kernel/sched/idle.c:354 rest_init+0x29d/0x2b0 init/main.c:451 arch_call_rest_init+0xe/0x10 start_kernel+0x751/0x871 init/main.c:785 x86_64_start_reservations+0x18/0x2e arch/x86/kernel/head64.c:472 x86_64_start_kernel+0x7a/0x7d arch/x86/kernel/head64.c:453 secondary_startup_64+0xa4/0xb0 arch/x86/kernel/head_64.S:241 Allocated by task 0: save_stack mm/kasan/common.c:69 [inline] set_track mm/kasan/common.c:77 [inline] __kasan_kmalloc+0x11c/0x1b0 mm/kasan/common.c:487 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:501 __do_kmalloc mm/slab.c:3655 [inline] __kmalloc+0x254/0x340 mm/slab.c:3664 kmalloc include/linux/slab.h:557 [inline] sk_prot_alloc+0xb0/0x290 net/core/sock.c:1603 sk_alloc+0x38/0x950 net/core/sock.c:1657 nr_make_new net/netrom/af_netrom.c:476 [inline] nr_rx_frame+0xabc/0x1e40 net/netrom/af_netrom.c:959 nr_loopback_timer+0x6a/0x140 net/netrom/nr_loopback.c:59 call_timer_fn+0xec/0x200 kernel/time/timer.c:1322 expire_timers kernel/time/timer.c:1366 [inline] __run_timers+0x7cd/0x9c0 kernel/time/timer.c:1685 run_timer_softirq+0x4a/0x90 kernel/time/timer.c:1698 __do_softirq+0x333/0x7c4 arch/x86/include/asm/paravirt.h:778 Freed by task 23150: save_stack mm/kasan/common.c:69 [inline] set_track mm/kasan/common.c:77 [inline] __kasan_slab_free+0x12a/0x1e0 mm/kasan/common.c:449 kasan_slab_free+0xe/0x10 mm/kasan/common.c:457 __cache_free mm/slab.c:3425 [inline] kfree+0x115/0x200 mm/slab.c:3756
Re: KASAN: use-after-free Read in nr_rx_frame (2)
On Tue, Jul 23, 2019 at 10:49 AM syzbot wrote: > > Hello, > > syzbot found the following crash on: > > HEAD commit:3bfe1fc4 Merge tag 'for-5.3/dm-changes-2' of git://git.ker.. > git tree: upstream > console output: https://syzkaller.appspot.com/x/log.txt?x=10413e3460 > kernel config: https://syzkaller.appspot.com/x/.config?x=21511d77e11db3cb > dashboard link: https://syzkaller.appspot.com/bug?extid=701728447042217b67c1 > compiler: clang version 9.0.0 (/home/glider/llvm/clang > 80fee25776c2fb61e74c1ecb1a523375c2500b69) > > Unfortunately, I don't have any reproducer for this crash yet. +net/netrom/af_netrom.c maintainers > IMPORTANT: if you fix the bug, please add the following tag to the commit: > Reported-by: syzbot+701728447042217b6...@syzkaller.appspotmail.com > > == > BUG: KASAN: use-after-free in atomic_read > /./include/asm-generic/atomic-instrumented.h:26 [inline] > BUG: KASAN: use-after-free in refcount_inc_not_zero_checked+0x7c/0x280 > /lib/refcount.c:123 > Read of size 4 at addr 88808ee52080 by task swapper/1/0 > > CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.2.0+ #35 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > Google 01/01/2011 > Call Trace: > > __dump_stack /lib/dump_stack.c:77 [inline] > dump_stack+0x1d8/0x2f8 /lib/dump_stack.c:113 > print_address_description+0x75/0x5b0 /mm/kasan/report.c:351 > __kasan_report+0x14b/0x1c0 /mm/kasan/report.c:482 > kasan_report+0x26/0x50 /mm/kasan/common.c:612 > check_memory_region_inline /mm/kasan/generic.c:182 [inline] > check_memory_region+0x2cf/0x2e0 /mm/kasan/generic.c:192 > __kasan_check_read+0x11/0x20 /mm/kasan/common.c:92 > atomic_read /./include/asm-generic/atomic-instrumented.h:26 [inline] > refcount_inc_not_zero_checked+0x7c/0x280 /lib/refcount.c:123 > refcount_inc_checked+0x15/0x50 /lib/refcount.c:156 > sock_hold /./include/net/sock.h:649 [inline] > sk_add_node /./include/net/sock.h:701 [inline] > nr_insert_socket /net/netrom/af_netrom.c:137 [inline] > nr_rx_frame+0x17bc/0x1e40 /net/netrom/af_netrom.c:1023 > nr_loopback_timer+0x6a/0x140 /net/netrom/nr_loopback.c:59 > call_timer_fn+0xec/0x200 /kernel/time/timer.c:1322 > expire_timers /kernel/time/timer.c:1366 [inline] > __run_timers+0x7cd/0x9c0 /kernel/time/timer.c:1685 > run_timer_softirq+0x4a/0x90 /kernel/time/timer.c:1698 > __do_softirq+0x333/0x7c4 /./arch/x86/include/asm/paravirt.h:777 > invoke_softirq /kernel/softirq.c:373 [inline] > irq_exit+0x227/0x230 /kernel/softirq.c:413 > exiting_irq /./arch/x86/include/asm/apic.h:537 [inline] > smp_apic_timer_interrupt+0x113/0x280 /arch/x86/kernel/apic/apic.c:1095 > apic_timer_interrupt+0xf/0x20 /arch/x86/entry/entry_64.S:828 > > RIP: 0010:native_safe_halt+0xe/0x10 /./arch/x86/include/asm/irqflags.h:61 > Code: 06 fa eb ae 89 d9 80 e1 07 80 c1 03 38 c1 7c ba 48 89 df e8 c4 41 06 > fa eb b0 90 90 e9 07 00 00 00 0f 00 2d 76 67 56 00 fb f4 90 e9 07 00 > 00 00 0f 00 2d 66 67 56 00 f4 c3 90 90 55 48 89 e5 > RSP: 0018:8880a98cfd38 EFLAGS: 0286 ORIG_RAX: ff13 > RAX: 111950db RBX: 8880a98bc340 RCX: dc00 > RDX: RSI: 812d193a RDI: 8880a98bcb78 > RBP: 8880a98cfd40 R08: 8880a98bcb90 R09: ed1015317869 > R10: ed1015317869 R11: R12: 0001 > R13: 111015317868 R14: dc00 R15: dc00 > arch_cpu_idle+0xa/0x10 /arch/x86/kernel/process.c:571 > default_idle_call+0x59/0xa0 /kernel/sched/idle.c:94 > cpuidle_idle_call /kernel/sched/idle.c:154 [inline] > do_idle+0x180/0x780 /kernel/sched/idle.c:263 > cpu_startup_entry+0x25/0x30 /kernel/sched/idle.c:354 > start_secondary+0x3f4/0x490 /arch/x86/kernel/smpboot.c:264 > secondary_startup_64+0xa4/0xb0 /arch/x86/kernel/head_64.S:243 > > Allocated by task 0: > save_stack /mm/kasan/common.c:69 [inline] > set_track /mm/kasan/common.c:77 [inline] > __kasan_kmalloc+0x11c/0x1b0 /mm/kasan/common.c:487 > kasan_kmalloc+0x9/0x10 /mm/kasan/common.c:501 > __do_kmalloc /mm/slab.c:3655 [inline] > __kmalloc+0x254/0x340 /mm/slab.c:3664 > kmalloc /./include/linux/slab.h:557 [inline] > sk_prot_alloc+0xb0/0x290 /net/core/sock.c:1603 > sk_alloc+0x38/0x950 /net/core/sock.c:1657 > nr_make_new /net/netrom/af_netrom.c:476 [inline] > nr_rx_frame+0xabc/0x1e40 /net/netrom/af_netrom.c:959 > nr_loopback_timer+0x6a/0x140 /net/netrom/nr_loopback.c:59 > call_timer_fn+0xec/0x200 /kernel/time/timer.c:1322 > expire_timers /kernel/time/timer.c:1366 [inline] > __run_timers+0x7cd/0x9c0 /kernel/time/timer.c:1685 > run_timer_softirq+0x4a/0x90 /kernel/time/timer.c:1698 > __do_softirq+0x333/0x7c4 /./arch/x86/include/asm/paravirt.h:777 > > Freed by task 4044: > save_stack /mm/kasan/common.c:69 [inline] > set_track /mm/kasan/common.c:77 [inline] > __kasan_slab_free+0x12a/0x1e0 /mm/kasan/common.c:449 >
Re: KASAN: use-after-free Read in nr_rx_frame
#syz fix: netrom: fix locking in nr_find_socket()
