syzbot

 sign-in | mailing list | source | docs
🐞 Open [1653]
Subsystems
🐞 Fixed [6096]
🐞 Invalid [15195]
Missing Backports [163]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
Total Repo Heatmap Subsystems Heatmap
💬 Send us feedback

KASAN: invalid-free in kvfree

Status: closed as invalid on 2018/04/11 18:40
Subsystems: netfilter
[Documentation on labels]
Reported-by: syzbot+9ff390e2bedb5869f811@syzkaller.appspotmail.com
First crash: 2567d, last: 2567d

Sample crash report:
TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies.  Check SNMP counters.
==================================================================
BUG: KASAN: double-free or invalid-free in kvfree+0x36/0x60 mm/util.c:438

CPU: 1 PID: 4260 Comm: syz-executor4 Not tainted 4.16.0-rc4+ #254
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x194/0x24d lib/dump_stack.c:53
 print_address_description+0x73/0x250 mm/kasan/report.c:256
 kasan_report_invalid_free+0x55/0x80 mm/kasan/report.c:336
 __kasan_slab_free+0x145/0x170 mm/kasan/kasan.c:500
 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:527
 __cache_free mm/slab.c:3485 [inline]
 kfree+0xd9/0x260 mm/slab.c:3800
 kvfree+0x36/0x60 mm/util.c:438
 xt_free_table_info+0xaf/0x170 net/netfilter/x_tables.c:1026
 __do_replace+0x810/0xa70 net/ipv6/netfilter/ip6_tables.c:1114
 do_replace net/ipv6/netfilter/ip6_tables.c:1168 [inline]
 do_ip6t_set_ctl+0x40f/0x5f0 net/ipv6/netfilter/ip6_tables.c:1690
 nf_sockopt net/netfilter/nf_sockopt.c:106 [inline]
 nf_setsockopt+0x67/0xc0 net/netfilter/nf_sockopt.c:115
 ipv6_setsockopt+0x10b/0x130 net/ipv6/ipv6_sockglue.c:927
 tcp_setsockopt+0x82/0xd0 net/ipv4/tcp.c:2878
 sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2979
 SYSC_setsockopt net/socket.c:1850 [inline]
 SyS_setsockopt+0x189/0x360 net/socket.c:1829
 do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x45697a
RSP: 002b:0000000000a3e3b8 EFLAGS: 00000206 ORIG_RAX: 0000000000000036
RAX: ffffffffffffffda RBX: 0000000000a3e3e0 RCX: 000000000045697a
RDX: 0000000000000040 RSI: 0000000000000029 RDI: 0000000000000013
RBP: 00000000006fd900 R08: 00000000000003b8 R09: 0000000000004000
R10: 00000000006fb6e0 R11: 0000000000000206 R12: 0000000000000000
R13: 0000000000000013 R14: 0000000000000029 R15: 00000000006fb740

Allocated by task 7667:
 save_stack+0x43/0xd0 mm/kasan/kasan.c:447
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:552
 __do_kmalloc mm/slab.c:3705 [inline]
 __kmalloc_track_caller+0x15e/0x760 mm/slab.c:3720
 kmemdup+0x24/0x50 mm/util.c:118
 kmemdup include/linux/string.h:418 [inline]
 selinux_cred_prepare+0x43/0xa0 security/selinux/hooks.c:3828
 security_prepare_creds+0x7d/0xb0 security/security.c:1000
 prepare_creds+0x2b1/0x360 kernel/cred.c:278
 SYSC_faccessat fs/open.c:365 [inline]
 SyS_faccessat fs/open.c:353 [inline]
 SYSC_access fs/open.c:431 [inline]
 SyS_access+0x8f/0x6a0 fs/open.c:429
 do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x42/0xb7

Freed by task 7667:
 save_stack+0x43/0xd0 mm/kasan/kasan.c:447
 set_track mm/kasan/kasan.c:459 [inline]
 __kasan_slab_free+0x11a/0x170 mm/kasan/kasan.c:520
 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:527
 __cache_free mm/slab.c:3485 [inline]
 kfree+0xd9/0x260 mm/slab.c:3800
 selinux_cred_free+0x48/0x70 security/selinux/hooks.c:3814
 security_cred_free+0x48/0x80 security/security.c:995
 put_cred_rcu+0x106/0x400 kernel/cred.c:117
 __rcu_reclaim kernel/rcu/rcu.h:172 [inline]
 rcu_do_batch kernel/rcu/tree.c:2674 [inline]
 invoke_rcu_callbacks kernel/rcu/tree.c:2933 [inline]
 __rcu_process_callbacks kernel/rcu/tree.c:2900 [inline]
 rcu_process_callbacks+0xd6c/0x17f0 kernel/rcu/tree.c:2917
 __do_softirq+0x2d7/0xb85 kernel/softirq.c:285

The buggy address belongs to the object at ffff8801c95e2880
 which belongs to the cache kmalloc-32 of size 32
The buggy address is located 0 bytes inside of
 32-byte region [ffff8801c95e2880, ffff8801c95e28a0)
The buggy address belongs to the page:
page:ffffea0007257880 count:1 mapcount:0 mapping:ffff8801c95e2000 index:0xffff8801c95e2fc1
flags: 0x2fffc0000000100(slab)
raw: 02fffc0000000100 ffff8801c95e2000 ffff8801c95e2fc1 000000010000000f
raw: ffffea0006eae820 ffffea0006bb8b20 ffff8801dac001c0 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8801c95e2780: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
 ffff8801c95e2800: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
>ffff8801c95e2880: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
                   ^
 ffff8801c95e2900: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
 ffff8801c95e2980: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
==================================================================

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2018/03/06 18:28 net-next-old 0f3e9c97eb5a c8a18476 .config console log report ci-upstream-net-kasan-gce
* Struck through repros no longer work on HEAD.