Re: KASAN: use-after-free Read in rxrpc_send_keepalive
This is the fix, I think. David --- rxrpc: Fix call ref leak When sendmsg() finds a call to continue on with, if the call is in an inappropriate state, it doesn't release the ref it just got on that call before returning an error. This causes the following symptom to show up with kasan: BUG: KASAN: use-after-free in rxrpc_send_keepalive+0x8a2/0x940 net/rxrpc/output.c:635 Read of size 8 at addr 888064219698 by task kworker/0:3/11077 where line 635 is: whdr.epoch = htonl(peer->local->rxnet->epoch); The local endpoint (which cannot be pinned by the call) has been released, but not the peer (which is pinned by the call). Fixes: 37411cad633f ("rxrpc: Fix potential NULL-pointer exception") Reported-by: syzbot+d850c266e3df14da1...@syzkaller.appspotmail.com Signed-off-by: David Howells --- sendmsg.c |1 + 1 file changed, 1 insertion(+) diff --git a/net/rxrpc/sendmsg.c b/net/rxrpc/sendmsg.c index 6cd55b1d79f9..79b5b23db4c1 100644 --- a/net/rxrpc/sendmsg.c +++ b/net/rxrpc/sendmsg.c @@ -661,6 +661,7 @@ int rxrpc_do_sendmsg(struct rxrpc_sock *rx, struct msghdr *msg, size_t len) case RXRPC_CALL_SERVER_PREALLOC: case RXRPC_CALL_SERVER_SECURING: case RXRPC_CALL_SERVER_ACCEPTING: + rxrpc_put_call(call, rxrpc_call_put); ret = -EBUSY; goto error_release_sock; default:
Re: KASAN: use-after-free Read in rxrpc_send_keepalive
syzbot has found a reproducer for the following crash on: HEAD commit:3120b9a6 Merge tag 'ipc-fixes' of git://git.kernel.org/pub.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=107d1ca560 kernel config: https://syzkaller.appspot.com/x/.config?x=ed2b148cd67382ec dashboard link: https://syzkaller.appspot.com/bug?extid=d850c266e3df14da1d31 compiler: clang version 9.0.0 (/home/glider/llvm/clang 80fee25776c2fb61e74c1ecb1a523375c2500b69) syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1734709560 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=143bcca560 IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+d850c266e3df14da1...@syzkaller.appspotmail.com == BUG: KASAN: use-after-free in rxrpc_send_keepalive+0xe2/0x3c0 net/rxrpc/output.c:634 Read of size 8 at addr 8880a859a058 by task kworker/0:2/3016 CPU: 0 PID: 3016 Comm: kworker/0:2 Not tainted 5.3.0-rc8+ #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: krxrpcd rxrpc_peer_keepalive_worker Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1d8/0x2f8 lib/dump_stack.c:113 print_address_description+0x75/0x5b0 mm/kasan/report.c:351 __kasan_report+0x14b/0x1c0 mm/kasan/report.c:482 kasan_report+0x26/0x50 mm/kasan/common.c:618 __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:132 rxrpc_send_keepalive+0xe2/0x3c0 net/rxrpc/output.c:634 rxrpc_peer_keepalive_dispatch net/rxrpc/peer_event.c:369 [inline] rxrpc_peer_keepalive_worker+0x76e/0xb40 net/rxrpc/peer_event.c:430 process_one_work+0x7ef/0x10e0 kernel/workqueue.c:2269 worker_thread+0xc01/0x1630 kernel/workqueue.c:2415 kthread+0x332/0x350 kernel/kthread.c:255 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 Allocated by task 9378: save_stack mm/kasan/common.c:69 [inline] set_track mm/kasan/common.c:77 [inline] __kasan_kmalloc+0x11c/0x1b0 mm/kasan/common.c:493 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:507 kmem_cache_alloc_trace+0x221/0x2f0 mm/slab.c:3550 kmalloc include/linux/slab.h:552 [inline] kzalloc include/linux/slab.h:748 [inline] rxrpc_alloc_connection+0x79/0x490 net/rxrpc/conn_object.c:41 rxrpc_alloc_client_connection net/rxrpc/conn_client.c:176 [inline] rxrpc_get_client_conn net/rxrpc/conn_client.c:339 [inline] rxrpc_connect_call+0xb30/0x2c40 net/rxrpc/conn_client.c:697 rxrpc_new_client_call+0x6d5/0xb60 net/rxrpc/call_object.c:289 rxrpc_new_client_call_for_sendmsg net/rxrpc/sendmsg.c:595 [inline] rxrpc_do_sendmsg+0xf2b/0x19b0 net/rxrpc/sendmsg.c:652 rxrpc_sendmsg+0x5eb/0x8b0 net/rxrpc/af_rxrpc.c:585 sock_sendmsg_nosec net/socket.c:637 [inline] sock_sendmsg net/socket.c:657 [inline] ___sys_sendmsg+0x60d/0x910 net/socket.c:2311 __sys_sendmmsg+0x239/0x470 net/socket.c:2413 __do_sys_sendmmsg net/socket.c:2442 [inline] __se_sys_sendmmsg net/socket.c:2439 [inline] __x64_sys_sendmmsg+0xa0/0xb0 net/socket.c:2439 do_syscall_64+0xfe/0x140 arch/x86/entry/common.c:296 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 16: save_stack mm/kasan/common.c:69 [inline] set_track mm/kasan/common.c:77 [inline] __kasan_slab_free+0x12a/0x1e0 mm/kasan/common.c:455 kasan_slab_free+0xe/0x10 mm/kasan/common.c:463 __cache_free mm/slab.c:3425 [inline] kfree+0x115/0x200 mm/slab.c:3756 rxrpc_destroy_connection+0x1ec/0x240 net/rxrpc/conn_object.c:372 __rcu_reclaim kernel/rcu/rcu.h:222 [inline] rcu_do_batch kernel/rcu/tree.c:2114 [inline] rcu_core+0x892/0xf10 kernel/rcu/tree.c:2314 rcu_core_si+0x9/0x10 kernel/rcu/tree.c:2323 __do_softirq+0x333/0x7c4 arch/x86/include/asm/paravirt.h:778 The buggy address belongs to the object at 8880a859a040 which belongs to the cache kmalloc-1k of size 1024 The buggy address is located 24 bytes inside of 1024-byte region [8880a859a040, 8880a859a440) The buggy address belongs to the page: page:ea0002a16680 refcount:1 mapcount:0 mapping:8880aa400c40 index:0x0 compound_mapcount: 0 flags: 0x1fffc010200(slab|head) raw: 01fffc010200 ea00024cc688 ea0002684d88 8880aa400c40 raw: 8880a859a040 00010007 page dumped because: kasan: bad access detected Memory state around the buggy address: 8880a8599f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc 8880a8599f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc 8880a859a000: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb ^ 8880a859a080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb 8880a859a100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==
Re: KASAN: use-after-free Read in rxrpc_send_keepalive
syzbot has found a reproducer for the following crash on: HEAD commit:ed2393ca Add linux-next specific files for 20190827 git tree: linux-next console output: https://syzkaller.appspot.com/x/log.txt?x=156adb1e60 kernel config: https://syzkaller.appspot.com/x/.config?x=2ef5940a07ed45f4 dashboard link: https://syzkaller.appspot.com/bug?extid=d850c266e3df14da1d31 compiler: gcc (GCC) 9.0.0 20181231 (experimental) syz repro: https://syzkaller.appspot.com/x/repro.syz?x=167ab58260 IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+d850c266e3df14da1...@syzkaller.appspotmail.com IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready == BUG: KASAN: use-after-free in rxrpc_send_keepalive+0x8a2/0x940 net/rxrpc/output.c:634 Read of size 8 at addr 888086b01218 by task kworker/0:1/12 CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.3.0-rc6-next-20190827 #74 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: krxrpcd rxrpc_peer_keepalive_worker Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x172/0x1f0 lib/dump_stack.c:113 print_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:374 __kasan_report.cold+0x1b/0x41 mm/kasan/report.c:506 kasan_report+0x12/0x20 mm/kasan/common.c:634 __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:132 rxrpc_send_keepalive+0x8a2/0x940 net/rxrpc/output.c:634 rxrpc_peer_keepalive_dispatch net/rxrpc/peer_event.c:369 [inline] rxrpc_peer_keepalive_worker+0x7be/0xd02 net/rxrpc/peer_event.c:430 process_one_work+0x9af/0x1740 kernel/workqueue.c:2269 worker_thread+0x98/0xe40 kernel/workqueue.c:2415 kthread+0x361/0x430 kernel/kthread.c:255 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 Allocated by task 8741: save_stack+0x23/0x90 mm/kasan/common.c:69 set_track mm/kasan/common.c:77 [inline] __kasan_kmalloc mm/kasan/common.c:510 [inline] __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:483 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:524 __do_kmalloc mm/slab.c:3655 [inline] __kmalloc+0x163/0x770 mm/slab.c:3664 kmalloc_array include/linux/slab.h:614 [inline] kcalloc include/linux/slab.h:625 [inline] alloc_pipe_info+0x199/0x420 fs/pipe.c:676 get_pipe_inode fs/pipe.c:738 [inline] create_pipe_files+0x8e/0x730 fs/pipe.c:770 __do_pipe_flags+0x48/0x250 fs/pipe.c:807 do_pipe2+0x84/0x160 fs/pipe.c:855 __do_sys_pipe2 fs/pipe.c:873 [inline] __se_sys_pipe2 fs/pipe.c:871 [inline] __x64_sys_pipe2+0x54/0x80 fs/pipe.c:871 do_syscall_64+0xfa/0x760 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 8741: save_stack+0x23/0x90 mm/kasan/common.c:69 set_track mm/kasan/common.c:77 [inline] kasan_set_free_info mm/kasan/common.c:332 [inline] __kasan_slab_free+0x102/0x150 mm/kasan/common.c:471 kasan_slab_free+0xe/0x10 mm/kasan/common.c:480 __cache_free mm/slab.c:3425 [inline] kfree+0x10a/0x2c0 mm/slab.c:3756 free_pipe_info+0x243/0x300 fs/pipe.c:709 put_pipe_info+0xd0/0xf0 fs/pipe.c:582 pipe_release+0x1e6/0x280 fs/pipe.c:603 __fput+0x2ff/0x890 fs/file_table.c:280 fput+0x16/0x20 fs/file_table.c:313 task_work_run+0x145/0x1c0 kernel/task_work.c:113 tracehook_notify_resume include/linux/tracehook.h:188 [inline] exit_to_usermode_loop+0x316/0x380 arch/x86/entry/common.c:163 prepare_exit_to_usermode arch/x86/entry/common.c:194 [inline] syscall_return_slowpath arch/x86/entry/common.c:274 [inline] do_syscall_64+0x65f/0x760 arch/x86/entry/common.c:300 entry_SYSCALL_64_after_hwframe+0x49/0xbe The buggy address belongs to the object at 888086b01200 which belongs to the cache kmalloc-1k of size 1024 The buggy address is located 24 bytes inside of 1024-byte region [888086b01200, 888086b01600) The buggy address belongs to the page: page:ea00021ac000 refcount:1 mapcount:0 mapping:8880aa400c40 index:0x888086b00480 compound_mapcount: 0 flags: 0x1fffc010200(slab|head) raw: 01fffc010200 ea00027b5588 ea00028e3808 8880aa400c40 raw: 888086b00480 888086b0 00010003 page dumped because: kasan: bad access detected Memory state around the buggy address: 888086b01100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb 888086b01180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc 888086b01200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ 888086b01280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb 888086b01300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==
KASAN: use-after-free Read in rxrpc_send_keepalive
Hello, syzbot found the following crash on: HEAD commit:b678c568 Merge tag 'nfs-for-5.3-2' of git://git.linux-nfs... git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=10ea5e3660 kernel config: https://syzkaller.appspot.com/x/.config?x=a4c9e9f08e9e8960 dashboard link: https://syzkaller.appspot.com/bug?extid=d850c266e3df14da1d31 compiler: gcc (GCC) 9.0.0 20181231 (experimental) Unfortunately, I don't have any reproducer for this crash yet. IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+d850c266e3df14da1...@syzkaller.appspotmail.com == BUG: KASAN: use-after-free in rxrpc_send_keepalive+0x8a2/0x940 net/rxrpc/output.c:635 Read of size 8 at addr 888064219698 by task kworker/0:3/11077 CPU: 0 PID: 11077 Comm: kworker/0:3 Not tainted 5.3.0-rc3+ #96 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: krxrpcd rxrpc_peer_keepalive_worker Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x172/0x1f0 lib/dump_stack.c:113 print_address_description.cold+0xd4/0x306 mm/kasan/report.c:351 __kasan_report.cold+0x1b/0x36 mm/kasan/report.c:482 kasan_report+0x12/0x17 mm/kasan/common.c:612 __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:132 rxrpc_send_keepalive+0x8a2/0x940 net/rxrpc/output.c:635 rxrpc_peer_keepalive_dispatch net/rxrpc/peer_event.c:369 [inline] rxrpc_peer_keepalive_worker+0x7be/0xd02 net/rxrpc/peer_event.c:430 process_one_work+0x9af/0x1740 kernel/workqueue.c:2269 worker_thread+0x98/0xe40 kernel/workqueue.c:2415 kthread+0x361/0x430 kernel/kthread.c:255 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 Allocated by task 20465: save_stack+0x23/0x90 mm/kasan/common.c:69 set_track mm/kasan/common.c:77 [inline] __kasan_kmalloc mm/kasan/common.c:487 [inline] __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:460 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:501 kmem_cache_alloc_trace+0x158/0x790 mm/slab.c:3550 kmalloc include/linux/slab.h:552 [inline] kzalloc include/linux/slab.h:748 [inline] rxrpc_alloc_local net/rxrpc/local_object.c:79 [inline] rxrpc_lookup_local+0x64c/0x1b70 net/rxrpc/local_object.c:279 rxrpc_sendmsg+0x379/0x5f0 net/rxrpc/af_rxrpc.c:566 sock_sendmsg_nosec net/socket.c:637 [inline] sock_sendmsg+0xd7/0x130 net/socket.c:657 ___sys_sendmsg+0x3e2/0x920 net/socket.c:2311 __sys_sendmmsg+0x1bf/0x4d0 net/socket.c:2413 __do_sys_sendmmsg net/socket.c:2442 [inline] __se_sys_sendmmsg net/socket.c:2439 [inline] __x64_sys_sendmmsg+0x9d/0x100 net/socket.c:2439 do_syscall_64+0xfd/0x6a0 arch/x86/entry/common.c:296 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 0: save_stack+0x23/0x90 mm/kasan/common.c:69 set_track mm/kasan/common.c:77 [inline] __kasan_slab_free+0x102/0x150 mm/kasan/common.c:449 kasan_slab_free+0xe/0x10 mm/kasan/common.c:457 __cache_free mm/slab.c:3425 [inline] kfree+0x10a/0x2c0 mm/slab.c:3756 rxrpc_local_rcu+0x62/0x80 net/rxrpc/local_object.c:471 __rcu_reclaim kernel/rcu/rcu.h:222 [inline] rcu_do_batch kernel/rcu/tree.c:2114 [inline] rcu_core+0x67f/0x1580 kernel/rcu/tree.c:2314 rcu_core_si+0x9/0x10 kernel/rcu/tree.c:2323 __do_softirq+0x262/0x98c kernel/softirq.c:292 The buggy address belongs to the object at 888064219680 which belongs to the cache kmalloc-1k of size 1024 The buggy address is located 24 bytes inside of 1024-byte region [888064219680, 888064219a80) The buggy address belongs to the page: page:ea0001908600 refcount:1 mapcount:0 mapping:8880aa400c40 index:0x888064218480 compound_mapcount: 0 flags: 0x1fffc010200(slab|head) raw: 01fffc010200 ea00025f5a08 ea00028fca08 8880aa400c40 raw: 888064218480 888064218000 00010001 page dumped because: kasan: bad access detected Memory state around the buggy address: 888064219580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb 888064219600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc 888064219680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ 888064219700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb 888064219780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb == --- This bug is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this bug report. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot.