[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <edda3930-bbb7-c927-578d-c3bd51da7384@huaweicloud.com>
Date: Mon, 13 Nov 2023 22:12:55 +0800
From: Hou Tao <houtao@...weicloud.com>
To: bpf <bpf@...r.kernel.org>, Networking <netdev@...r.kernel.org>
Subject: [bug report] BUG: KASAN: slab-use-after-free in
sock_def_readable+0x101/0x450
Hi,
I got the following kasan report when running test_progs on bpf-tree
(commit 100888fb6d8a):
[ 212.183985]
==================================================================
[ 212.184699] BUG: KASAN: slab-use-after-free in
sock_def_readable+0x101/0x450
[ 212.185375] Read of size 8 at addr ffff88812d9f1860 by task
kworker/4:1/67
[ 212.186195] CPU: 4 PID: 67 Comm: kworker/4:1 Tainted: G
O 6.6.0+ #9
[ 212.186942] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
[ 212.188044] Workqueue: events sk_psock_backlog
[ 212.188496] Call Trace:
[ 212.188746] <TASK>
[ 212.188967] dump_stack_lvl+0x4a/0x90
[ 212.189342] print_report+0xd2/0x620
[ 212.189706] ? kasan_complete_mode_report_info+0x7c/0x210
[ 212.190241] kasan_report+0xd1/0x110
[ 212.190599] ? sock_def_readable+0x101/0x450
[ 212.191022] ? sock_def_readable+0x101/0x450
[ 212.191452] kasan_check_range+0x101/0x1c0
[ 212.191852] __kasan_check_read+0x11/0x20
[ 212.192253] sock_def_readable+0x101/0x450
[ 212.192656] unix_stream_sendmsg+0x3cc/0xaa0
[ 212.193093] ? __pfx_unix_stream_sendmsg+0x10/0x10
[ 212.193565] ? __pfx___lock_acquire+0x10/0x10
[ 212.194034] sock_sendmsg+0x219/0x230
[ 212.194400] ? __pfx_sock_sendmsg+0x10/0x10
[ 212.194813] ? lock_acquire+0x180/0x420
[ 212.195193] ? sk_psock_backlog+0x3c/0x600
[ 212.195598] ? __pfx_lock_acquire+0x10/0x10
[ 212.196014] ? lock_is_held_type+0x97/0x100
[ 212.196436] ? __asan_storeN+0x12/0x20
[ 212.196808] __skb_send_sock+0x53b/0x660
[ 212.197204] ? __pfx_sendmsg_unlocked+0x10/0x10
[ 212.197653] ? sk_psock_backlog+0x3c/0x600
[ 212.198057] ? __pfx___skb_send_sock+0x10/0x10
[ 212.198499] ? __mutex_unlock_slowpath+0x122/0x410
[ 212.198990] skb_send_sock+0x15/0x20
[ 212.199355] sk_psock_backlog+0x149/0x600
[ 212.199762] process_one_work+0x462/0x990
[ 212.200174] ? __pfx_process_one_work+0x10/0x10
[ 212.200617] ? do_raw_spin_lock+0x115/0x1b0
[ 212.201041] ? assign_work+0xe6/0x120
[ 212.201407] worker_thread+0x370/0x670
[ 212.201779] ? __pfx_worker_thread+0x10/0x10
[ 212.202202] kthread+0x1b0/0x200
[ 212.202525] ? kthread+0x103/0x200
[ 212.202862] ? __pfx_kthread+0x10/0x10
[ 212.203238] ret_from_fork+0x3a/0x70
[ 212.203600] ? __pfx_kthread+0x10/0x10
[ 212.203978] ret_from_fork_asm+0x1b/0x30
[ 212.204378] </TASK>
[ 212.204762] Allocated by task 415:
[ 212.205109] kasan_save_stack+0x26/0x50
[ 212.205495] kasan_set_track+0x25/0x40
[ 212.205873] kasan_save_alloc_info+0x1e/0x30
[ 212.206291] __kasan_slab_alloc+0x72/0x80
[ 212.206689] kmem_cache_alloc+0x16c/0x3a0
[ 212.207086] sk_prot_alloc+0x48/0x170
[ 212.207446] sk_alloc+0x31/0x5b0
[ 212.207773] unix_create1+0x8b/0x450
[ 212.208131] unix_create+0x82/0xf0
[ 212.208470] __sock_create+0x1d5/0x460
[ 212.208838] __sys_socketpair+0x1b1/0x3a0
[ 212.209235] __x64_sys_socketpair+0x54/0x70
[ 212.209642] do_syscall_64+0x36/0xb0
[ 212.210005] entry_SYSCALL_64_after_hwframe+0x6e/0x76
[ 212.210663] Freed by task 415:
[ 212.210972] kasan_save_stack+0x26/0x50
[ 212.211348] kasan_set_track+0x25/0x40
[ 212.211717] kasan_save_free_info+0x2b/0x50
[ 212.212130] __kasan_slab_free+0x113/0x190
[ 212.212530] slab_free_freelist_hook+0xd7/0x1e0
[ 212.212983] kmem_cache_free+0x109/0x280
[ 212.213370] __sk_destruct+0x247/0x370
[ 212.213740] sk_destruct+0x80/0x90
[ 212.214080] __sk_free+0x68/0x180
[ 212.214410] sk_free+0x4a/0x70
[ 212.214723] unix_release_sock+0x648/0x6e0
[ 212.215128] unix_release+0x55/0x80
[ 212.215474] __sock_release+0x64/0x130
[ 212.215852] sock_close+0x18/0x20
[ 212.216187] __fput+0x13d/0x510
[ 212.216511] __fput_sync+0x34/0x40
[ 212.216854] __x64_sys_close+0x56/0xa0
[ 212.217232] do_syscall_64+0x36/0xb0
[ 212.217588] entry_SYSCALL_64_after_hwframe+0x6e/0x76
[ 212.218243] The buggy address belongs to the object at ffff88812d9f1800
which belongs to the cache UNIX-STREAM of size 1920
[ 212.219431] The buggy address is located 96 bytes inside of
freed 1920-byte region [ffff88812d9f1800, ffff88812d9f1f80)
[ 212.220753] The buggy address belongs to the physical page:
[ 212.221292] page:00000000739895e2 refcount:1 mapcount:0
mapping:0000000000000000 index:0x0 pfn:0x12d9f0
[ 212.222189] head:00000000739895e2 order:3 entire_mapcount:0
nr_pages_mapped:0 pincount:0
[ 212.222966] memcg:ffff88812d026501
[ 212.223302] flags:
0x17ffffc0000840(slab|head|node=0|zone=2|lastcpupid=0x1fffff)
[ 212.224016] page_type: 0xffffffff()
[ 212.224363] raw: 0017ffffc0000840 ffff888102fbb180 ffffea0004b67400
0000000000000002
[ 212.225112] raw: 0000000000000000 0000000080100010 00000001ffffffff
ffff88812d026501
[ 212.225848] page dumped because: kasan: bad access detected
[ 212.226553] Memory state around the buggy address:
[ 212.227022] ffff88812d9f1700: 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00
[ 212.227714] ffff88812d9f1780: fc fc fc fc fc fc fc fc fc fc fc fc fc
fc fc fc
[ 212.228413] >ffff88812d9f1800: fa fb fb fb fb fb fb fb fb fb fb fb fb
fb fb fb
[ 212.229107] ^
[ 212.229717] ffff88812d9f1880: fb fb fb fb fb fb fb fb fb fb fb fb fb
fb fb fb
[ 212.230418] ffff88812d9f1900: fb fb fb fb fb fb fb fb fb fb fb fb fb
fb fb fb
[ 212.231113]
==================================================================
Powered by blists - more mailing lists