Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp3337152imm; Fri, 19 Oct 2018 08:59:35 -0700 (PDT) X-Google-Smtp-Source: ACcGV62Sw9AfM+7xL70PuAVh4zL+aX2d5zsMiMRB5M34g0rrnRgLMqmVl0BzYmuqHjpvkrnRV0Ad X-Received: by 2002:a17:902:6907:: with SMTP id j7-v6mr34701566plk.232.1539964775140; Fri, 19 Oct 2018 08:59:35 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1539964775; cv=none; d=google.com; s=arc-20160816; b=X0u8pxApSx6rolukeOMsp7SISa343i4O7OgNhln50m9LADO6pVFclt6U/XFOOXL98q 8UHHbyEwXA2BlrnU7lJD0ILanJCA7aT8T9MzQlr1oTiGxc70+TyHA555mKPxJy044tc5 QbPAVhffjPQ2XpSHzxNVue5CUlaLBO3fTeUPSd0610Zixn9voLJx4pLeeeiJ3yI+VpD9 SLh+QsYrEp6ggid0GD0y0R1/j1mBNHvzrMVc5YuFM7IADwMfWvNW7sCEUEAEYEraFF55 c31ta2qgARCxFLvZaf6ni7sCt8R3Lua9Cc8iZuKzbnh1uwlB+BDF0T9a8Wj14Hnnnen4 Ao/A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:to:subject; bh=c5+xyf/2uW2mCbANsXfbzL4RcqZUDVR0dEMhkEexJyE=; b=gCGxiTYhtHzXJa1tBbZJrNjQzo5mzbLhA42VAPznEfe//o4Us2FaPs8zl5Fs8l12Zl n4Hb4Bsna8b/uFnvg0YS0EXM3N/9bxtmRHuqCNv3K2hCc1Hb+6Jflbs2WLeN1WNkYx4u /m/nNkvD9Vd8nhO3h6BR9kaY5ZIvCmSVFS9xco0dPfQvVMixtmsLCTcG3pAUG3oADkbW vi2Zah1OTZh3SxjOTblqsjIYjk/cbdevUd5WGYi1EBJswLTyr6rLxUQXitouoSz9nBAU +TpBaUWXq90cyXq4FYVX2JYh9+C+3RVY1LOrc3Lack6IfzEDJZuXvUf7PwDLir3LELV8 5VoQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 5-v6si25486105plx.28.2018.10.19.08.59.19; Fri, 19 Oct 2018 08:59:35 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727752AbeJTAE3 (ORCPT + 99 others); Fri, 19 Oct 2018 20:04:29 -0400 Received: from www62.your-server.de ([213.133.104.62]:34822 "EHLO www62.your-server.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727641AbeJTAE3 (ORCPT ); Fri, 19 Oct 2018 20:04:29 -0400 Received: from [78.46.172.2] (helo=sslproxy05.your-server.de) by www62.your-server.de with esmtpsa (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.89_1) (envelope-from ) id 1gDX9k-0007Nt-91; Fri, 19 Oct 2018 17:57:44 +0200 Received: from [62.203.87.61] (helo=linux.home) by sslproxy05.your-server.de with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.89) (envelope-from ) id 1gDX9k-000XcM-3h; Fri, 19 Oct 2018 17:57:44 +0200 Subject: Re: KASAN: use-after-free Read in sk_psock_link_pop To: syzbot , davem@davemloft.net, john.fastabend@gmail.com, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, syzkaller-bugs@googlegroups.com References: <000000000000a6391e057896e940@google.com> From: Daniel Borkmann Message-ID: Date: Fri, 19 Oct 2018 17:57:43 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.3.0 MIME-Version: 1.0 In-Reply-To: <000000000000a6391e057896e940@google.com> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit X-Authenticated-Sender: daniel@iogearbox.net X-Virus-Scanned: Clear (ClamAV 0.100.1/25051/Fri Oct 19 14:59:20 2018) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 10/19/2018 05:54 PM, syzbot wrote: > Hello, > > syzbot found the following crash on: > > HEAD commit:    3a3295bfa6f4 Merge branch 'sctp-fix-sk_wmem_queued-and-use.. > git tree:       net-next > console output: https://syzkaller.appspot.com/x/log.txt?x=10a09791400000 > kernel config:  https://syzkaller.appspot.com/x/.config?x=133950703f7759f9 > dashboard link: https://syzkaller.appspot.com/bug?extid=1651eee005f9de26ec35 > compiler:       gcc (GCC) 8.0.1 20180413 (experimental) > > Unfortunately, I don't have any reproducer for this crash yet. > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > Reported-by: syzbot+1651eee005f9de26ec35@syzkaller.appspotmail.com > > __nla_parse: 2 callbacks suppressed > netlink: 20 bytes leftover after parsing attributes in process `syz-executor0'. > ================================================================== > BUG: KASAN: use-after-free in __lock_acquire+0x37c2/0x4ec0 kernel/locking/lockdep.c:3290 > Read of size 8 at addr ffff8801bcae2ff8 by task syz-executor3/30186 > > CPU: 0 PID: 30186 Comm: syz-executor3 Not tainted 4.19.0-rc7+ #266 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 > Call Trace: >  __dump_stack lib/dump_stack.c:77 [inline] >  dump_stack+0x1c4/0x2b4 lib/dump_stack.c:113 >  print_address_description.cold.8+0x9/0x1ff mm/kasan/report.c:256 >  kasan_report_error mm/kasan/report.c:354 [inline] >  kasan_report.cold.9+0x242/0x309 mm/kasan/report.c:412 >  __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433 >  __lock_acquire+0x37c2/0x4ec0 kernel/locking/lockdep.c:3290 >  lock_acquire+0x1ed/0x520 kernel/locking/lockdep.c:3900 >  __raw_spin_lock_bh include/linux/spinlock_api_smp.h:135 [inline] >  _raw_spin_lock_bh+0x31/0x40 kernel/locking/spinlock.c:168 >  spin_lock_bh include/linux/spinlock.h:334 [inline] [...] Looking into it ...