lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <94eb2c1984003ba8ef0564cc8333@google.com>
Date:   Fri, 09 Feb 2018 11:27:01 -0800
From:   syzbot <syzbot+b743957adcee51f5e0e3@...kaller.appspotmail.com>
To:     davem@...emloft.net, jon.maloy@...csson.com,
        linux-kernel@...r.kernel.org, netdev@...r.kernel.org,
        syzkaller-bugs@...glegroups.com,
        tipc-discussion@...ts.sourceforge.net, ying.xue@...driver.com
Subject: WARNING: suspicious RCU usage in tipc_bearer_find

Hello,

syzbot hit the following crash on net-next commit
617aebe6a97efa539cc4b8a52adccd89596e6be0 (Sun Feb 4 00:25:42 2018 +0000)
Merge tag 'usercopy-v4.16-rc1' of  
git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux

So far this crash happened 4 times on net-next.
Unfortunately, I don't have any reproducer for this crash yet.
Raw console output is attached.
compiler: gcc (GCC) 7.1.1 20170620
.config is attached.

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+b743957adcee51f5e0e3@...kaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for  
details.
If you forward the report, please keep this part and the footer.

netlink: 'syz-executor6': attribute type 1 has an invalid length.
sctp: [Deprecated]: syz-executor3 (pid 6217) Use of int in max_burst socket  
option.
Use struct sctp_assoc_value instead

=============================
WARNING: suspicious RCU usage
4.15.0+ #221 Not tainted
sctp: [Deprecated]: syz-executor3 (pid 6225) Use of int in max_burst socket  
option.
Use struct sctp_assoc_value instead
-----------------------------
net/tipc/bearer.c:177 suspicious rcu_dereference_protected() usage!

other info that might help us debug this:


rcu_scheduler_active = 2, debug_locks = 1
2 locks held by syz-executor6/6218:
  #0:  (
syz-executor5 (6213) used greatest stack depth: 14576 bytes left
cb_lock){++++}, at: [<000000004bdfcf78>] genl_rcv+0x19/0x40  
net/netlink/genetlink.c:634
  #1:  (genl_mutex){+.+.}, at: [<00000000482c2989>] genl_lock  
net/netlink/genetlink.c:33 [inline]
  #1:  (genl_mutex){+.+.}, at: [<00000000482c2989>] genl_rcv_msg+0x115/0x140  
net/netlink/genetlink.c:622

stack backtrace:
CPU: 1 PID: 6218 Comm: syz-executor6 Not tainted 4.15.0+ #221
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011
Call Trace:
  __dump_stack lib/dump_stack.c:17 [inline]
  dump_stack+0x194/0x257 lib/dump_stack.c:53
  lockdep_rcu_suspicious+0x123/0x170 kernel/locking/lockdep.c:4592
  tipc_bearer_find+0x2b4/0x3b0 net/tipc/bearer.c:177
  tipc_nl_compat_link_set+0x329/0x9f0 net/tipc/netlink_compat.c:729
sock: sock_set_timeout: `syz-executor4' (pid 6237) tries to set negative  
timeout
  __tipc_nl_compat_doit net/tipc/netlink_compat.c:288 [inline]
  tipc_nl_compat_doit+0x15b/0x670 net/tipc/netlink_compat.c:335
  tipc_nl_compat_handle net/tipc/netlink_compat.c:1119 [inline]
  tipc_nl_compat_recv+0x1135/0x18f0 net/tipc/netlink_compat.c:1201
  genl_family_rcv_msg+0x7b7/0xfb0 net/netlink/genetlink.c:599
  genl_rcv_msg+0xb2/0x140 net/netlink/genetlink.c:624
  netlink_rcv_skb+0x14b/0x380 net/netlink/af_netlink.c:2442
  genl_rcv+0x28/0x40 net/netlink/genetlink.c:635
  netlink_unicast_kernel net/netlink/af_netlink.c:1308 [inline]
  netlink_unicast+0x4c4/0x6b0 net/netlink/af_netlink.c:1334
  netlink_sendmsg+0xa4a/0xe60 net/netlink/af_netlink.c:1897
  sock_sendmsg_nosec net/socket.c:630 [inline]
  sock_sendmsg+0xca/0x110 net/socket.c:640
  ___sys_sendmsg+0x767/0x8b0 net/socket.c:2046
  __sys_sendmsg+0xe5/0x210 net/socket.c:2080
  SYSC_sendmsg net/socket.c:2091 [inline]
  SyS_sendmsg+0x2d/0x50 net/socket.c:2087
  entry_SYSCALL_64_fastpath+0x29/0xa0
RIP: 0033:0x4537d9
RSP: 002b:00007fa225171c58 EFLAGS: 00000212 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007fa225172700 RCX: 00000000004537d9
RDX: 0000000000000000 RSI: 0000000020003000 RDI: 0000000000000013
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000212 R12: 0000000000000000
R13: 0000000000a2f09f R14: 00007fa2251729c0 R15: 0000000000000000
sctp: [Deprecated]: syz-executor1 (pid 6246) Use of struct sctp_assoc_value  
in delayed_ack socket option.
Use struct sctp_sack_info instead
netlink: 'syz-executor2': attribute type 11 has an invalid length.
netlink: 'syz-executor2': attribute type 11 has an invalid length.
netlink: 8 bytes leftover after parsing attributes in process  
`syz-executor0'.
netlink: 8 bytes leftover after parsing attributes in process  
`syz-executor0'.
netlink: 8 bytes leftover after parsing attributes in process  
`syz-executor5'.
netlink: 8 bytes leftover after parsing attributes in process  
`syz-executor5'.
netlink: 8 bytes leftover after parsing attributes in process  
`syz-executor5'.
netlink: 8 bytes leftover after parsing attributes in process  
`syz-executor5'.
raw_sendmsg: syz-executor3 forgot to set AF_INET. Fix it!
kauditd_printk_skb: 13 callbacks suppressed
audit: type=1400 audit(1518204148.200:35): avc:  denied  { shutdown } for   
pid=6517 comm="syz-executor5"  
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023  
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023  
tclass=netlink_generic_socket permissive=1
syz0: Invalid MTU -2 requested, hw min 68
syz0: Invalid MTU -2 requested, hw min 68
Cannot find set identified by id 32769 to match
TCP: request_sock_TCPv6: Possible SYN flooding on port 20010. Sending  
cookies.  Check SNMP counters.
audit: type=1400 audit(1518204148.699:36): avc:  denied  { prog_run } for   
pid=6645 comm="syz-executor2"  
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023  
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf  
permissive=1
Cannot find set identified by id 32769 to match
audit: type=1400 audit(1518204148.973:37): avc:  denied  { getattr } for   
pid=6698 comm="syz-executor1"  
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023  
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023  
tclass=netlink_netfilter_socket permissive=1
audit: type=1400 audit(1518204149.035:38): avc:  denied  { write } for   
pid=6705 comm="syz-executor7"  
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023  
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023  
tclass=netlink_crypto_socket permissive=1
audit: type=1400 audit(1518204149.050:39): avc:  denied  { listen } for   
pid=6705 comm="syz-executor7"  
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023  
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023  
tclass=netlink_crypto_socket permissive=1
netlink: 'syz-executor5': attribute type 1 has an invalid length.
netlink: 'syz-executor5': attribute type 1 has an invalid length.
audit: type=1400 audit(1518204149.909:40): avc:  denied  { read } for   
pid=6952 comm="syz-executor5"  
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023  
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023  
tclass=netlink_netfilter_socket permissive=1
audit: type=1400 audit(1518204149.943:41): avc:  denied  { connect } for   
pid=6952 comm="syz-executor5"  
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023  
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023  
tclass=netlink_netfilter_socket permissive=1
ipt_CLUSTERIP: Please specify an interface name
netlink: 'syz-executor6': attribute type 3 has an invalid length.
netlink: 'syz-executor6': attribute type 3 has an invalid length.
validate_nla: 1 callbacks suppressed
netlink: 'syz-executor3': attribute type 33 has an invalid length.
A link change request failed with some changes committed already. Interface  
syz3 may have been left with an inconsistent configuration, please check.
audit: type=1400 audit(1518204151.702:42): avc:  denied  { setopt } for   
pid=7436 comm="syz-executor5"  
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023  
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023  
tclass=netlink_generic_socket permissive=1
NFQUEUE: number of total queues is 0
NFQUEUE: number of total queues is 0
netlink: 'syz-executor3': attribute type 33 has an invalid length.
A link change request failed with some changes committed already. Interface  
syz3 may have been left with an inconsistent configuration, please check.
netlink: 'syz-executor6': attribute type 1 has an invalid length.
netlink: 'syz-executor6': attribute type 1 has an invalid length.
audit: type=1400 audit(1518204152.463:43): avc:  denied  { map } for   
pid=7639 comm="syz-executor3"  
path=2F616E6F6E5F6875676570616765202864656C6574656429 dev="hugetlbfs"  
ino=19879 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023  
tcontext=unconfined_u:object_r:hugetlbfs_t:s0 tclass=file permissive=1
atomic_op 00000000e4d3062f conn xmit_atomic           (null)
atomic_op 0000000045f50105 conn xmit_atomic           (null)
atomic_op 00000000272ad12c conn xmit_atomic           (null)
atomic_op 0000000003371d71 conn xmit_atomic           (null)
device syz6 entered promiscuous mode
device syz6 left promiscuous mode
atomic_op 000000002579eed8 conn xmit_atomic           (null)
atomic_op 00000000a306f3e1 conn xmit_atomic           (null)
FAULT_INJECTION: forcing a failure.
name fail_page_alloc, interval 1, probability 0, space 0, times 1
CPU: 0 PID: 7836 Comm: syz-executor4 Not tainted 4.15.0+ #221
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011
Call Trace:
  __dump_stack lib/dump_stack.c:17 [inline]
  dump_stack+0x194/0x257 lib/dump_stack.c:53
  fail_dump lib/fault-inject.c:51 [inline]
  should_fail+0x8c0/0xa40 lib/fault-inject.c:149
nla_parse: 3 callbacks suppressed
netlink: 15 bytes leftover after parsing attributes in process  
`syz-executor0'.
  should_fail_alloc_page mm/page_alloc.c:2955 [inline]
  prepare_alloc_pages mm/page_alloc.c:4194 [inline]
  __alloc_pages_nodemask+0x338/0xd80 mm/page_alloc.c:4233
audit: type=1400 audit(1518204153.249:44): avc:  denied  { bind } for   
pid=7842 comm="syz-executor0"  
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023  
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023  
tclass=netlink_crypto_socket permissive=1
netlink: 15 bytes leftover after parsing attributes in process  
`syz-executor0'.
  alloc_pages_current+0xb6/0x1e0 mm/mempolicy.c:2055
  alloc_pages include/linux/gfp.h:492 [inline]
  skb_page_frag_refill+0x358/0x5f0 net/core/sock.c:2208
  tun_build_skb.isra.50+0x2f0/0x1810 drivers/net/tun.c:1630
  tun_get_user+0x17d0/0x3940 drivers/net/tun.c:1800
  tun_chr_write_iter+0xb9/0x160 drivers/net/tun.c:1986
  call_write_iter include/linux/fs.h:1781 [inline]
  do_iter_readv_writev+0x55c/0x830 fs/read_write.c:653
  do_iter_write+0x154/0x540 fs/read_write.c:932
  vfs_writev+0x18a/0x340 fs/read_write.c:977
  do_writev+0xfc/0x2a0 fs/read_write.c:1012
  SYSC_writev fs/read_write.c:1085 [inline]
  SyS_writev+0x27/0x30 fs/read_write.c:1082
  entry_SYSCALL_64_fastpath+0x29/0xa0
RIP: 0033:0x4536b1
RSP: 002b:00007f3d41762b80 EFLAGS: 00000293 ORIG_RAX: 0000000000000014
RAX: ffffffffffffffda RBX: 000000000000005f RCX: 00000000004536b1
RDX: 0000000000000001 RSI: 00007f3d41762bd0 RDI: 0000000000000012
RBP: 00000000200f805f R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000066 R11: 0000000000000293 R12: 0000000000000066
R13: 0000000000000014 R14: 00007f3d417636d4 R15: ffffffffffffffff
atomic_op 00000000f4b2bda9 conn xmit_atomic           (null)
FAULT_INJECTION: forcing a failure.
name failslab, interval 1, probability 0, space 0, times 1
CPU: 1 PID: 7886 Comm: syz-executor4 Not tainted 4.15.0+ #221
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011
Call Trace:
  __dump_stack lib/dump_stack.c:17 [inline]
  dump_stack+0x194/0x257 lib/dump_stack.c:53
  fail_dump lib/fault-inject.c:51 [inline]
  should_fail+0x8c0/0xa40 lib/fault-inject.c:149
  should_failslab+0xec/0x120 mm/failslab.c:32
  slab_pre_alloc_hook mm/slab.h:422 [inline]
  slab_alloc mm/slab.c:3365 [inline]
  kmem_cache_alloc+0x47/0x760 mm/slab.c:3539
  __build_skb+0x9d/0x450 net/core/skbuff.c:281
  build_skb+0x6f/0x2a0 net/core/skbuff.c:312
  tun_build_skb.isra.50+0x9cb/0x1810 drivers/net/tun.c:1690
atomic_op 000000002be437ac conn xmit_atomic           (null)
  tun_get_user+0x17d0/0x3940 drivers/net/tun.c:1800
  tun_chr_write_iter+0xb9/0x160 drivers/net/tun.c:1986
  call_write_iter include/linux/fs.h:1781 [inline]
  do_iter_readv_writev+0x55c/0x830 fs/read_write.c:653
  do_iter_write+0x154/0x540 fs/read_write.c:932
  vfs_writev+0x18a/0x340 fs/read_write.c:977
  do_writev+0xfc/0x2a0 fs/read_write.c:1012
  SYSC_writev fs/read_write.c:1085 [inline]
  SyS_writev+0x27/0x30 fs/read_write.c:1082
  entry_SYSCALL_64_fastpath+0x29/0xa0
RIP: 0033:0x4536b1
RSP: 002b:00007f3d41762b80 EFLAGS: 00000293 ORIG_RAX: 0000000000000014
RAX: ffffffffffffffda RBX: 00007f3d41762aa0 RCX: 00000000004536b1
RDX: 0000000000000001 RSI: 00007f3d41762bd0 RDI: 0000000000000012
RBP: 00007f3d41762a90 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000066 R11: 0000000000000293 R12: 00000000004b863a
R13: 00007f3d41762bc8 R14: 00000000004b863a R15: 0000000000000000
atomic_op 00000000e2fa1a71 conn xmit_atomic           (null)
atomic_op 000000003a952aff conn xmit_atomic           (null)
netlink: 'syz-executor6': attribute type 33 has an invalid length.
A link change request failed with some changes committed already. Interface  
syz6 may have been left with an inconsistent configuration, please check.
netlink: 'syz-executor6': attribute type 33 has an invalid length.
A link change request failed with some changes committed already. Interface  
syz6 may have been left with an inconsistent configuration, please check.
netlink: 40 bytes leftover after parsing attributes in process  
`syz-executor5'.
audit: type=1400 audit(1518204155.198:45): avc:  denied  { connect } for   
pid=8195 comm="syz-executor6"  
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023  
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023  
tclass=netlink_generic_socket permissive=1
audit: type=1400 audit(1518204156.127:46): avc:  denied  { net_bind_service  
} for  pid=8464 comm="syz-executor7" capability=10   
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023  
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns  
permissive=1
audit: type=1400 audit(1518204156.257:47): avc:  denied  { create } for   
pid=8493 comm="syz-executor5"  
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023  
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023  
tclass=netlink_fib_lookup_socket permissive=1
audit: type=1400 audit(1518204156.286:48): avc:  denied  { write } for   
pid=8493 comm="syz-executor5" path="socket:[20676]" dev="sockfs" ino=20676  
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023  
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023  
tclass=netlink_fib_lookup_socket permissive=1
netlink: 'syz-executor0': attribute type 2 has an invalid length.
audit: type=1400 audit(1518204156.414:49): avc:  denied  { read } for   
pid=8523 comm="syz-executor6"  
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023  
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023  
tclass=netlink_crypto_socket permissive=1
FAULT_INJECTION: forcing a failure.
name failslab, interval 1, probability 0, space 0, times 0
CPU: 1 PID: 8533 Comm: syz-executor3 Not tainted 4.15.0+ #221
netlink: 'syz-executor6': attribute type 2 has an invalid length.
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011
Call Trace:
  __dump_stack lib/dump_stack.c:17 [inline]
  dump_stack+0x194/0x257 lib/dump_stack.c:53
  fail_dump lib/fault-inject.c:51 [inline]
  should_fail+0x8c0/0xa40 lib/fault-inject.c:149
  should_failslab+0xec/0x120 mm/failslab.c:32
  slab_pre_alloc_hook mm/slab.h:422 [inline]
  slab_alloc mm/slab.c:3365 [inline]
  __do_kmalloc mm/slab.c:3703 [inline]
  __kmalloc+0x63/0x760 mm/slab.c:3714
  kmalloc include/linux/slab.h:517 [inline]
  sock_kmalloc+0x112/0x190 net/core/sock.c:1986
netlink: 'syz-executor6': attribute type 2 has an invalid length.
  ___sys_sendmsg+0x458/0x8b0 net/socket.c:2013
  __sys_sendmsg+0xe5/0x210 net/socket.c:2080
  SYSC_sendmsg net/socket.c:2091 [inline]
  SyS_sendmsg+0x2d/0x50 net/socket.c:2087
  entry_SYSCALL_64_fastpath+0x29/0xa0
RIP: 0033:0x4537d9
RSP: 002b:00007faabf0e4c58 EFLAGS: 00000212 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007faabf0e4aa0 RCX: 00000000004537d9
RDX: 0000000000000000 RSI: 0000000020019fc8 RDI: 0000000000000013
RBP: 00007faabf0e4a90 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000212 R12: 00000000004b863a
R13: 00007faabf0e4bc8 R14: 00000000004b863a R15: 0000000000000000


---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzkaller@...glegroups.com.

syzbot will keep track of this bug report.
If you forgot to add the Reported-by tag, once the fix for this bug is  
merged
into any tree, please reply to this email with:
#syz fix: exact-commit-title
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug  
report.
Note: all commands must start from beginning of the line in the email body.

View attachment "raw.log.txt" of type "text/plain" (644452 bytes)

View attachment "config.txt" of type "text/plain" (136942 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ