On Mon, Jan 08, 2018 at 08:11:35PM +0000, Jon Maloy wrote: > > > > -----Original Message----- > > From: Cong Wang [mailto:xiyou.wangc...@gmail.com] > > Sent: Monday, January 08, 2018 13:44 > > To: syzbot <syzbot+aae58876fb5a1fad0...@syzkaller.appspotmail.com> > > Cc: David Miller <da...@davemloft.net>; Jon Maloy > > <jon.ma...@ericsson.com>; LKML <linux-ker...@vger.kernel.org>; Linux > > Kernel Network Developers <netdev@vger.kernel.org>; syzkaller- > > b...@googlegroups.com; tipc-discuss...@lists.sourceforge.net; Ying Xue > > <ying....@windriver.com> > > Subject: Re: KASAN: use-after-free Read in tipc_group_size > > > > On Mon, Jan 8, 2018 at 6:58 AM, syzbot > > <syzbot+aae58876fb5a1fad0...@syzkaller.appspotmail.com> wrote: > > > Hello, > > > > > > syzkaller hit the following crash on > > > b2cd1df66037e7c4697c7e40496bf7e4a5e16a2d > > > git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/maste > > > r > > > compiler: gcc (GCC) 7.1.1 20170620 > > > .config is attached > > > Raw console output is attached. > > > C reproducer is attached > > > syzkaller reproducer is attached. See https://goo.gl/kgGztJ for > > > information about syzkaller reproducers > > > > > > > > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > > > Reported-by: syzbot+aae58876fb5a1fad0...@syzkaller.appspotmail.com > > > It will help syzbot understand when the bug is fixed. See footer for > > > details. > > > If you forward the report, please keep this part and the footer. > > > > > > > > ========================================================== > > ======== > > > BUG: KASAN: use-after-free in tipc_group_size+0x40/0x50 > > > net/tipc/group.c:158 Read of size 2 at addr ffff8801c08ba280 by task > > > syzkaller447710/3513 > > > > > > CPU: 0 PID: 3513 Comm: syzkaller447710 Not tainted 4.15.0-rc7+ #252 > > > Hardware name: Google Google Compute Engine/Google Compute Engine, > > > BIOS Google 01/01/2011 Call Trace: > > > __dump_stack lib/dump_stack.c:17 [inline] > > > dump_stack+0x194/0x257 lib/dump_stack.c:53 > > > print_address_description+0x73/0x250 mm/kasan/report.c:252 > > > kasan_report_error mm/kasan/report.c:351 [inline] > > > kasan_report+0x25b/0x340 mm/kasan/report.c:409 > > > __asan_report_load2_noabort+0x14/0x20 mm/kasan/report.c:428 > > > tipc_group_size+0x40/0x50 net/tipc/group.c:158 > > > tipc_poll+0x374/0x4f0 net/tipc/socket.c:739 > > > > Seems we have to lock the sock for tipc_group_size() in tipc_poll(). > > Not quite. I think it is that we initialize 'grp' on the stack before we call > sock_poll_wait() and access it after it returns. > This is anyway fixed in patch #9 of the series I just sent to net-next, where > the poll() handling for group members is redesigned. > > ///jon >
Last occurred on Jan 16. Seems to have been fixed by commit 60c2530696320: #syz fix: tipc: fix race between poll() and setsockopt() - Eric
