KASAN: use-after-free Read in __schedule (2)

From: syzbot
Date: Thu Aug 02 2018 - 12:04:19 EST


Hello,

syzbot found the following crash on:

HEAD commit: a94c689e6c9e net: dsa: Do not suspend/resume closed slave_..
git tree: net
console output: https://syzkaller.appspot.com/x/log.txt?x=140800e2400000
kernel config: https://syzkaller.appspot.com/x/.config?x=2dc0cd7c2eefb46f
dashboard link: https://syzkaller.appspot.com/bug?extid=ceded3495a1d59f2d244
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=1627bbfc400000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16e0cc8c400000

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+ceded3495a1d59f2d244@xxxxxxxxxxxxxxxxxxxxxxxxx

R10: 0000000000000040 R11: 0000000000000212 R12: 0000000000000005
R13: ffffffffffffffff R14: 0000000000000000 R15: 0000000000000000
page:ffffea000714e200 count:0 mapcount:-128 mapping:0000000000000000 index:0x0
==================================================================
flags: 0x2fffc0000000000()
BUG: KASAN: use-after-free in schedule_debug kernel/sched/core.c:3313 [inline]
BUG: KASAN: use-after-free in __schedule+0x1a18/0x1ec0 kernel/sched/core.c:3423
Read of size 8 at addr ffff8801af280000 by task ip/6349
raw: 02fffc0000000000 ffffea0006cfa208 ffff88021fffac18 0000000000000000

CPU: 1 PID: 6349 Comm: ip Not tainted 4.18.0-rc7+ #37
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
raw: 0000000000000000 0000000000000003 00000000ffffff7f 0000000000000000
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1c9/0x2b4 lib/dump_stack.c:113
page dumped because: VM_BUG_ON_PAGE(page_ref_count(page) == 0)
------------[ cut here ]------------
print_address_description+0x6c/0x20b mm/kasan/report.c:256
kernel BUG at include/linux/mm.h:515!
invalid opcode: 0000 [#1] SMP KASAN
CPU: 0 PID: 6338 Comm: syz-executor087 Not tainted 4.18.0-rc7+ #37
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
__asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
RIP: 0010:put_page_testzero include/linux/mm.h:515 [inline]
RIP: 0010:put_page include/linux/mm.h:938 [inline]
RIP: 0010:__skb_frag_unref include/linux/skbuff.h:2759 [inline]
RIP: 0010:skb_release_data+0x6bd/0x880 net/core/skbuff.c:564
schedule_debug kernel/sched/core.c:3313 [inline]
__schedule+0x1a18/0x1ec0 kernel/sched/core.c:3423
Code:
e8
58
09
73
fc
48
schedule+0xfb/0x450 kernel/sched/core.c:3545
8b
bd
10
ff
ff
ff
e8
4c
e6
exit_to_usermode_loop+0x22f/0x370 arch/x86/entry/common.c:152
fe
ff
prepare_exit_to_usermode arch/x86/entry/common.c:197 [inline]
syscall_return_slowpath arch/x86/entry/common.c:268 [inline]
do_syscall_64+0x6be/0x820 arch/x86/entry/common.c:293
e9
16
fb
ff
ff
e8
entry_SYSCALL_64_after_hwframe+0x49/0xbe
42
RIP: 0033:0x7fab7daf0210
09
Code:
73
31
fc
d2
48
48
c7
29
c6
c2
00
64
b9
89
6f
11
87
48
4c
83
89
c8
ef
ff
e8
eb
33
ea
c0
90
a0
90
fc
90
<0f>
90
0b
90
e8
90
2c
90
09
90
73
90
fc
90
4c
90
8d
90
6b
83
ff
3d
e9
e5
b0
d3
fc
2a
ff
00
ff
00
e8
75
1e
10
09
b8
73
2f
fc
00
4c
00
00
RSP: 0018:ffff8801ae95f578 EFLAGS: 00010246
0f
05
RAX: 0000000000000000 RBX: ffffea000714e234 RCX: 0000000000000000
<48>
RDX: 0000000000000000 RSI: ffffffff81a9e055 RDI: ffffed0035d2bea0
3d
RBP: ffff8801ae95f698 R08: ffff8801c6f66978 R09: 0000000000000006
01 f0
R10: ffff8801c6f66140 R11: 0000000000000000 R12: dffffc0000000000
ff
R13: ffffea000714e200 R14: ffff8801cfdc4c20 R15: 0000000000000003
ff 73
FS: 0000000000ae1880(0000) GS:ffff8801db000000(0000) knlGS:0000000000000000
31
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
c3
CR2: 00007f07e03dea8c CR3: 00000001d752e000 CR4: 00000000001406f0
48
Call Trace:
83
ec
08
e8
6e
bb
skb_release_all+0x4a/0x60 net/core/skbuff.c:627
00
__kfree_skb+0x15/0x20 net/core/skbuff.c:641
00
sk_wmem_free_skb include/net/sock.h:1430 [inline]
tcp_write_queue_purge+0x2c1/0x8b0 net/ipv4/tcp.c:2527
48
89
04
24
tcp_disconnect+0x49e/0x1550 net/ipv4/tcp.c:2567
RSP: 002b:00007fff8b328a78 EFLAGS: 00000246
ORIG_RAX: 000000000000002f
RAX: 0000000000001b94 RBX: 00000000006395c0 RCX: 00007fab7daf0210
RDX: 0000000000000000 RSI: 00007fff8b328ac0 RDI: 0000000000000003
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006395c0
tcp_close+0x1026/0x12d0 net/ipv4/tcp.c:2363
R13: 0000000000000000 R14: 00007fff8b32cb98 R15: 00007fff8b32d3a0

The buggy address belongs to the page:
page:ffffea0006bca000 count:0 mapcount:0 mapping:0000000000000000 index:0x0
flags: 0x2fffc0000000000()
tls_sk_proto_close+0x6fc/0xae0 net/tls/tls_main.c:303
raw: 02fffc0000000000 ffffea000743c288 ffff8801db030118 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
ffff8801af27ff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8801af27ff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8801af280000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff8801af280080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff8801af280100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================


---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@xxxxxxxxxxxxxxxxx

syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches