BUG: KASAN: use-after-free in page_to_skb.isra.0+0x300/0x418
From: Naresh Kamboju
Date: Tue Apr 20 2021 - 09:45:34 EST
Following kernel BUG reported on qemu-arm64 running linux next 20210420
the config is enabled with KASAN.
steps to reproduce:
----------------------------
- Build the arm64 kernel with KASAN enabled.
- boot it with below command and you will notice
/usr/bin/qemu-system-aarch64 -cpu host -machine virt,accel=kvm
-nographic -net nic,model=virtio,macaddr=BA:DD:AD:CC:09:10 -net tap -m
1024 -monitor none -kernel kernel/Image.gz --append "console=ttyAMA0
root=/dev/vda rw" -hda
rootfs/rpb-console-image-lkft-juno-20210414125244-133.rootfs.ext4 -m
4096 -smp 4 -nographic
crash log:
-------------
[ 23.711647] BUG: KASAN: use-after-free in page_to_skb.isra.0+0x300/0x418
[ 23.715349] Read of size 12 at addr ffff0000cf63f800 by task systemd/1
[ 23.718528]
[ 23.719331] CPU: 0 PID: 1 Comm: systemd Not tainted
5.12.0-rc8-next-20210420 #1
[ 23.722836] Hardware name: linux,dummy-virt (DT)
[ 23.725114] Call trace:
[ 23.726345] dump_backtrace+0x0/0x2f0
[ 23.728167] show_stack+0x20/0x30
[ 23.729843] dump_stack+0x120/0x19c
[ 23.731576] print_address_description.constprop.0+0x6c/0x30c
[ 23.734357] kasan_report+0x1e0/0x248
[ 23.736155] kasan_check_range+0x100/0x1b8
[ 23.738183] memcpy+0x54/0x100
[ 23.739707] page_to_skb.isra.0+0x300/0x418
[ 23.742027] receive_buf+0x113c/0x2118
[ 23.743881] virtnet_poll+0x28c/0x980
[ 23.745712] __napi_poll+0x64/0x2e8
[ 23.747450] net_rx_action+0x204/0x448
[ 23.749315] __do_softirq+0x20c/0x70c
[ 23.751124] irq_exit+0x184/0x190
[ 23.752786] __handle_domain_irq+0x8c/0xf0
[ 23.754790] gic_handle_irq+0xe4/0x128
[ 23.756612] el1_irq+0xb4/0x14c
[ 23.758194] copy_page+0x48/0xe8
[ 23.759815] copy_user_highpage+0x20/0x50
[ 23.761791] wp_page_copy+0x178/0xe00
[ 23.763592] do_wp_page+0x10c/0x890
[ 23.765330] __handle_mm_fault+0xbb8/0x1560
[ 23.767381] handle_mm_fault+0x160/0x360
[ 23.769320] do_page_fault+0x1d4/0x5b0
[ 23.771122] do_mem_abort+0x68/0x100
[ 23.772849] el0_da+0x3c/0x50
[ 23.774295] el0_sync_handler+0x88/0xb8
[ 23.776133] el0_sync+0x18c/0x1c0
[ 23.777751]
[ 23.778520] Unable to handle kernel paging request at virtual
address dead000000000418
[ 23.782211] Mem abort info:
[ 23.783557] ESR = 0x96000004
[ 23.785383] EC = 0x25: DABT (current EL), IL = 32 bits
[ 23.787934] SET = 0, FnV = 0
[ 23.789451] EA = 0, S1PTW = 0
[ 23.791000] Data abort info:
[ 23.792418] ISV = 0, ISS = 0x00000004
[ 23.794293] CM = 0, WnR = 0
[ 23.795756] [dead000000000418] address between user and kernel address ranges
[ 23.799181] Internal error: Oops: 96000004 [#1] PREEMPT SMP
[ 23.801878] Modules linked in: rfkill crct10dif_ce fuse
[ 23.804467] CPU: 0 PID: 1 Comm: systemd Not tainted
5.12.0-rc8-next-20210420 #1
[ 23.807965] Hardware name: linux,dummy-virt (DT)
[ 23.810215] pstate: 000000c5 (nzcv daIF -PAN -UAO -TCO BTYPE=--)
[ 23.813114] pc : print_address_description.constprop.0+0xb4/0x30c
[ 23.816067] lr : print_address_description.constprop.0+0x78/0x30c
[ 23.819042] sp : ffff8000100077d0
[ 23.820694] x29: ffff8000100077d0 x28: ffff0000cf63f80c
[ 23.823289] x27: 000000000000780c x26: 000000000000000c
[ 23.825884] x25: ffff0000c623e934 x24: ffff800015779000
[ 23.828476] x23: ffff8000129f1888 x22: dead000000000400
[ 23.831080] x21: 000000000000000c x20: fffffc00033d8fc0
[ 23.833672] x19: ffff0000cf63f800 x18: 0000000000000000
[ 23.836262] x17: 0000000000000000 x16: 0000000000000000
[ 23.838866] x15: 0000000000000000 x14: 0000000000000000
[ 23.841454] x13: 0000000000000000 x12: ffff60001b568d2c
[ 23.844033] x11: 1fffe0001b568d2b x10: ffff60001b568d2b
[ 23.846652] x9 : ffff8000101768f4 x8 : ffff0000dab4695b
[ 23.849250] x7 : 0000000000000001 x6 : ffff0000dab46958
[ 23.851827] x5 : 00009fffe4a972d5 x4 : dfff800000000000
[ 23.854581] x3 : ffff000000000000 x2 : 00000000000cf63f
[ 23.857178] x1 : 0000000000000000 x0 : dead000000000400
[ 23.859756] Call trace:
[ 23.860996] print_address_description.constprop.0+0xb4/0x30c
[ 23.863786] kasan_report+0x1e0/0x248
[ 23.865613] kasan_check_range+0x100/0x1b8
[ 23.867627] memcpy+0x54/0x100
[ 23.869179] page_to_skb.isra.0+0x300/0x418
[ 23.871234] receive_buf+0x113c/0x2118
[ 23.873092] virtnet_poll+0x28c/0x980
[ 23.874888] __napi_poll+0x64/0x2e8
[ 23.876609] net_rx_action+0x204/0x448
[ 23.878482] __do_softirq+0x20c/0x70c
[ 23.880278] irq_exit+0x184/0x190
[ 23.881950] __handle_domain_irq+0x8c/0xf0
[ 23.883952] gic_handle_irq+0xe4/0x128
[ 23.885800] el1_irq+0xb4/0x14c
[ 23.887344] copy_page+0x48/0xe8
[ 23.888964] copy_user_highpage+0x20/0x50
[ 23.890922] wp_page_copy+0x178/0xe00
[ 23.892753] do_wp_page+0x10c/0x890
[ 23.894491] __handle_mm_fault+0xbb8/0x1560
[ 23.896528] handle_mm_fault+0x160/0x360
[ 23.898475] do_page_fault+0x1d4/0x5b0
[ 23.900321] do_mem_abort+0x68/0x100
[ 23.902096] el0_da+0x3c/0x50
[ 23.903567] el0_sync_handler+0x88/0xb8
[ 23.905462] el0_sync+0x18c/0x1c0
[ 23.907123] Code: d2ffffe3 79405681 aa1603e0 d346fc42 (b9401ac6)
[ 23.910073] ---[ end trace fd09da2bec4267c7 ]---
[ 23.912299] Kernel panic - not syncing: Oops: Fatal exception in interrupt
[ 23.915576] SMP: stopping secondary CPUs
[ 23.917615] Kernel Offset: disabled
[ 23.919303] CPU features: 0x00240002,20002004
[ 23.921405] Memory Limit: none
[ 23.922914] ---[ end Kernel panic - not syncing: Oops: Fatal
exception in interrupt ]---
Reported-by: Naresh Kamboju <naresh.kamboju@xxxxxxxxxx>
Full test log:
------------------
https://lkft.validation.linaro.org/scheduler/job/2555059#L646
https://qa-reports.linaro.org/lkft/linux-next-master/build/next-20210420/testrun/4398870/suite/linux-log-parser/test/check-kernel-bug-2555059/log
metadata:
git branch: master
git repo: https://gitlab.com/Linaro/lkft/mirrors/next/linux-next
git describe: next-20210420
kernel-config: https://builds.tuxbuild.com/1rQkHtEDo0W1xQ7zqLlKg72HPil/config
--
Linaro LKFT
https://lkft.linaro.org