Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp1750883imm; Sun, 27 May 2018 15:17:12 -0700 (PDT) X-Google-Smtp-Source: AB8JxZr4y6VOx7dLCnSzkwSnm+k/q6tPFIGmHE6hXWiByDpDPPJp2FfeuFwxbKRcZHKsHXWWicu2 X-Received: by 2002:a62:5841:: with SMTP id m62-v6mr10939198pfb.116.1527459432532; Sun, 27 May 2018 15:17:12 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1527459432; cv=none; d=google.com; s=arc-20160816; b=t9ZC3C8y4I+5N6HH8VZNhjLh4IipALAMPggnoJLS2RtBCVYyjsDz356gKYEYvbEHHN 5Jx0R3KtLm3yNOT0Lnlx+8Rkh/jkvaEv6MIpSzm39YB47e3wkqt/MoNvtSFXzyno/kce TCKQQeJaf9DaKZO6eQdbOnQYEC/Zo2brL9sYKjr93XEy+DPDDBRTWmdR+FShqGNnKLS/ MKuIPVnwQSkOi/ivnLDokoQ84uxP0bEh5OCrthzWSbk/jprjBeS4mrvnit5I+3F0Q1K4 GCzyY/8fdkB84IaLbAmWPf8qZriNHqns9NVIbyJmGUbdwIoBPgSYcm/QCloYTj+LVqsy V8Tg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:to:subject:arc-authentication-results; bh=phowJhRb3wtm5hwEtEKiYiHc3BDFkN5fBv773Zu56Fs=; b=ZT2YRiuLNn05xvSozcORR8dXm6GIfL5PYTGZxvkU/zUGTouJZP/Gd+vOT0+4C8Jto7 ZpOGOZxfM2lV8kD1aLKbIqFipd599kmQi3MaTwe4CoyAWsQcuuvlWBfCSPdr2sKkorE5 TQekC4y4aP3koEjplIJkXcqyBI6tzBvbV+ZOrM5UMv1IhtaaL8lMEm6dr5Dj/O1Bzhzt L2xkRG5kQpZPTuwsff6xjNfs6HlLEB30m9tLquSNHtawu52Hk+wDHyA7M8IuTwnqtrVR LfTzBsuZ3d36Lfh7tc/SVRtpu2zTsaBLvsaF5seB+BLo9MhA3yhczfNvN/ogjxtiEcXl gbFw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id z6-v6si28685584pfk.194.2018.05.27.15.16.57; Sun, 27 May 2018 15:17:12 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752271AbeE0WP1 (ORCPT + 99 others); Sun, 27 May 2018 18:15:27 -0400 Received: from www62.your-server.de ([213.133.104.62]:47680 "EHLO www62.your-server.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751547AbeE0WPY (ORCPT ); Sun, 27 May 2018 18:15:24 -0400 Received: from [62.202.221.10] (helo=linux.home) by www62.your-server.de with esmtpsa (TLSv1.2:DHE-RSA-AES256-SHA:256) (Exim 4.85_2) (envelope-from ) id 1fN3wg-0001DK-BH; Mon, 28 May 2018 00:15:22 +0200 Subject: Re: KASAN: use-after-free Write in bpf_tcp_close To: syzbot , ast@kernel.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, syzkaller-bugs@googlegroups.com, john.fastabend@gmail.com References: <000000000000cb4149056d3587f5@google.com> From: Daniel Borkmann Message-ID: Date: Mon, 28 May 2018 00:15:21 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.3.0 MIME-Version: 1.0 In-Reply-To: <000000000000cb4149056d3587f5@google.com> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit X-Authenticated-Sender: daniel@iogearbox.net X-Virus-Scanned: Clear (ClamAV 0.99.3/24609/Sun May 27 22:30:39 2018) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org [ +John ] On 05/27/2018 10:06 PM, syzbot wrote: > Hello, > > syzbot found the following crash on: > > HEAD commit:    ff4fb475cea8 Merge branch 'btf-uapi-cleanups' > git tree:       bpf-next > console output: https://syzkaller.appspot.com/x/log.txt?x=12b3d577800000 > kernel config:  https://syzkaller.appspot.com/x/.config?x=b632d8e2c2ab2c1 > dashboard link: https://syzkaller.appspot.com/bug?extid=31025a5f3f7650081204 > compiler:       gcc (GCC) 8.0.1 20180413 (experimental) > syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=109a2f37800000 > C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=171a727b800000 > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > Reported-by: syzbot+31025a5f3f7650081204@syzkaller.appspotmail.com Should be fixed by: https://patchwork.ozlabs.org/patch/920695/ > ================================================================== > BUG: KASAN: use-after-free in cmpxchg_size include/asm-generic/atomic-instrumented.h:355 [inline] > BUG: KASAN: use-after-free in bpf_tcp_close+0x6f5/0xf80 kernel/bpf/sockmap.c:265 > Write of size 8 at addr ffff8801ca277680 by task syz-executor749/9723 > > CPU: 0 PID: 9723 Comm: syz-executor749 Not tainted 4.17.0-rc4+ #19 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 > Call Trace: >  __dump_stack lib/dump_stack.c:77 [inline] >  dump_stack+0x1b9/0x294 lib/dump_stack.c:113 >  print_address_description+0x6c/0x20b mm/kasan/report.c:256 >  kasan_report_error mm/kasan/report.c:354 [inline] >  kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412 >  check_memory_region_inline mm/kasan/kasan.c:260 [inline] >  check_memory_region+0x13e/0x1b0 mm/kasan/kasan.c:267 >  kasan_check_write+0x14/0x20 mm/kasan/kasan.c:278 >  cmpxchg_size include/asm-generic/atomic-instrumented.h:355 [inline] >  bpf_tcp_close+0x6f5/0xf80 kernel/bpf/sockmap.c:265 >  inet_release+0x104/0x1f0 net/ipv4/af_inet.c:427 >  inet6_release+0x50/0x70 net/ipv6/af_inet6.c:459 >  sock_release+0x96/0x1b0 net/socket.c:594 >  sock_close+0x16/0x20 net/socket.c:1149 >  __fput+0x34d/0x890 fs/file_table.c:209 >  ____fput+0x15/0x20 fs/file_table.c:243 >  task_work_run+0x1e4/0x290 kernel/task_work.c:113 >  exit_task_work include/linux/task_work.h:22 [inline] >  do_exit+0x1aee/0x2730 kernel/exit.c:865 >  do_group_exit+0x16f/0x430 kernel/exit.c:968 >  __do_sys_exit_group kernel/exit.c:979 [inline] >  __se_sys_exit_group kernel/exit.c:977 [inline] >  __x64_sys_exit_group+0x3e/0x50 kernel/exit.c:977 >  do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287 >  entry_SYSCALL_64_after_hwframe+0x49/0xbe > RIP: 0033:0x440a59 > RSP: 002b:00007ffdadf92488 EFLAGS: 00000206 ORIG_RAX: 00000000000000e7 > RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000440a59 > RDX: 0000000000440a59 RSI: 0000000000000020 RDI: 0000000000000000 > RBP: 0000000000000000 R08: 00000000004002c8 R09: 0000000000401ea0 > R10: 00000000004002c8 R11: 0000000000000206 R12: 000000000001b5ac > R13: 0000000000401ea0 R14: 0000000000000000 R15: 0000000000000000 > > Allocated by task 9723: >  save_stack+0x43/0xd0 mm/kasan/kasan.c:448 >  set_track mm/kasan/kasan.c:460 [inline] >  kasan_kmalloc+0xc4/0xe0 mm/kasan/kasan.c:553 >  __do_kmalloc_node mm/slab.c:3682 [inline] >  __kmalloc_node+0x47/0x70 mm/slab.c:3689 >  kmalloc_node include/linux/slab.h:554 [inline] >  bpf_map_area_alloc+0x3f/0x90 kernel/bpf/syscall.c:144 >  sock_map_alloc+0x376/0x410 kernel/bpf/sockmap.c:1555 >  find_and_alloc_map kernel/bpf/syscall.c:126 [inline] >  map_create+0x393/0x1010 kernel/bpf/syscall.c:448 >  __do_sys_bpf kernel/bpf/syscall.c:2128 [inline] >  __se_sys_bpf kernel/bpf/syscall.c:2105 [inline] >  __x64_sys_bpf+0x300/0x4f0 kernel/bpf/syscall.c:2105 >  do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287 >  entry_SYSCALL_64_after_hwframe+0x49/0xbe > > Freed by task 4521: >  save_stack+0x43/0xd0 mm/kasan/kasan.c:448 >  set_track mm/kasan/kasan.c:460 [inline] >  __kasan_slab_free+0x11a/0x170 mm/kasan/kasan.c:521 >  kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528 >  __cache_free mm/slab.c:3498 [inline] >  kfree+0xd9/0x260 mm/slab.c:3813 >  kvfree+0x61/0x70 mm/util.c:440 >  bpf_map_area_free+0x15/0x20 kernel/bpf/syscall.c:155 >  sock_map_remove_complete kernel/bpf/sockmap.c:1443 [inline] >  sock_map_free+0x408/0x540 kernel/bpf/sockmap.c:1619 >  bpf_map_free_deferred+0xba/0xf0 kernel/bpf/syscall.c:259 >  process_one_work+0xc1e/0x1b50 kernel/workqueue.c:2145 >  worker_thread+0x1cc/0x1440 kernel/workqueue.c:2279 >  kthread+0x345/0x410 kernel/kthread.c:238 >  ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:412 > > The buggy address belongs to the object at ffff8801ca277680 >  which belongs to the cache kmalloc-1024 of size 1024 > The buggy address is located 0 bytes inside of >  1024-byte region [ffff8801ca277680, ffff8801ca277a80) > The buggy address belongs to the page: > page:ffffea0007289d80 count:1 mapcount:0 mapping:ffff8801ca276000 index:0x0 compound_mapcount: 0 > flags: 0x2fffc0000008100(slab|head) > raw: 02fffc0000008100 ffff8801ca276000 0000000000000000 0000000100000007 > raw: ffffea0006d12b20 ffffea000763bba0 ffff8801da800ac0 0000000000000000 > page dumped because: kasan: bad access detected > > Memory state around the buggy address: >  ffff8801ca277580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >  ffff8801ca277600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >> ffff8801ca277680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >                    ^ >  ffff8801ca277700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >  ffff8801ca277780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > ================================================================== > > > --- > This bug is generated by a bot. It may contain errors. > See https://goo.gl/tpsmEJ for more information about syzbot. > syzbot engineers can be reached at syzkaller@googlegroups.com. > > syzbot will keep track of this bug report. See: > https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with syzbot. > syzbot can test patches for this bug, for details see: > https://goo.gl/tpsmEJ#testing-patches