syzbot


KASAN: global-out-of-bounds Read in __hw_addr_add_ex

Status: upstream: reported on 2024/06/03 20:10
Subsystems: net
[Documentation on labels]
Reported-by: syzbot+91161fe81857b396c8a0@syzkaller.appspotmail.com
First crash: 15d, last: 4d19h
Discussions (1)
Title Replies (including bot) Last reply
[syzbot] [net?] KASAN: global-out-of-bounds Read in __hw_addr_add_ex 0 (1) 2024/06/03 20:10
Similar bugs (1)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KMSAN: uninit-value in __hw_addr_add_ex net 580 291d 574d 0/27 auto-obsoleted due to no activity on 2023/11/07 04:36

Sample crash report:
netlink: 12 bytes leftover after parsing attributes in process `syz-executor.0'.
==================================================================
BUG: KASAN: global-out-of-bounds in memcmp+0xc0/0xca lib/string.c:676
Read of size 1 at addr ffffffff8905d900 by task syz-executor.0/6049

CPU: 0 PID: 6049 Comm: syz-executor.0 Not tainted 6.10.0-rc2-syzkaller-ge2c79b4c5c4d #0
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff8000f6f8>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:129
[<ffffffff85c24e3c>] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:135
[<ffffffff85c7eb8e>] __dump_stack lib/dump_stack.c:88 [inline]
[<ffffffff85c7eb8e>] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:114
[<ffffffff85c2f1a4>] print_address_description mm/kasan/report.c:377 [inline]
[<ffffffff85c2f1a4>] print_report+0x288/0x596 mm/kasan/report.c:488
[<ffffffff8091ed4c>] kasan_report+0xec/0x118 mm/kasan/report.c:601
[<ffffffff80920b96>] __asan_report_load1_noabort+0x12/0x1a mm/kasan/report_generic.c:378
[<ffffffff85bfbcfa>] memcmp+0xc0/0xca lib/string.c:676
[<ffffffff84a1aab2>] __hw_addr_add_ex+0xee/0x676 net/core/dev_addr_lists.c:88
[<ffffffff84a1dab2>] __dev_mc_add net/core/dev_addr_lists.c:867 [inline]
[<ffffffff84a1dab2>] dev_mc_add+0xac/0x108 net/core/dev_addr_lists.c:885
[<ffffffff84bafc86>] mrp_init_applicant+0xe8/0x56e net/802/mrp.c:873
[<ffffffff857838f2>] vlan_mvrp_init_applicant+0x26/0x30 net/8021q/vlan_mvrp.c:57
[<ffffffff85779bca>] register_vlan_dev+0x1b4/0x922 net/8021q/vlan.c:170
[<ffffffff85781fc0>] vlan_newlink+0x3d2/0x5fc net/8021q/vlan_netlink.c:193
[<ffffffff84a65934>] rtnl_newlink_create net/core/rtnetlink.c:3510 [inline]
[<ffffffff84a65934>] __rtnl_newlink+0xfe4/0x1770 net/core/rtnetlink.c:3730
[<ffffffff84a6612c>] rtnl_newlink+0x6c/0xa2 net/core/rtnetlink.c:3743
[<ffffffff84a54cb8>] rtnetlink_rcv_msg+0x428/0xd78 net/core/rtnetlink.c:6595
[<ffffffff84d85a54>] netlink_rcv_skb+0x216/0x3dc net/netlink/af_netlink.c:2564
[<ffffffff84a46d0a>] rtnetlink_rcv+0x26/0x30 net/core/rtnetlink.c:6613
[<ffffffff84d83cee>] netlink_unicast_kernel net/netlink/af_netlink.c:1335 [inline]
[<ffffffff84d83cee>] netlink_unicast+0x508/0x862 net/netlink/af_netlink.c:1361
[<ffffffff84d848ac>] netlink_sendmsg+0x864/0xdc2 net/netlink/af_netlink.c:1905
[<ffffffff84949c70>] sock_sendmsg_nosec net/socket.c:730 [inline]
[<ffffffff84949c70>] __sock_sendmsg+0xcc/0x162 net/socket.c:745
[<ffffffff8494a87e>] ____sys_sendmsg+0x5ce/0x79e net/socket.c:2585
[<ffffffff84951bce>] ___sys_sendmsg+0x144/0x1e6 net/socket.c:2639
[<ffffffff849526a6>] __sys_sendmsg+0x130/0x1f0 net/socket.c:2668
[<ffffffff849527d6>] __do_sys_sendmsg net/socket.c:2677 [inline]
[<ffffffff849527d6>] __se_sys_sendmsg net/socket.c:2675 [inline]
[<ffffffff849527d6>] __riscv_sys_sendmsg+0x70/0xa2 net/socket.c:2675
[<ffffffff8000e200>] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
[<ffffffff85c80e48>] do_trap_ecall_u+0x14c/0x214 arch/riscv/kernel/traps.c:330
[<ffffffff85ca3750>] ret_from_exception+0x0/0x64 arch/riscv/kernel/entry.S:112

The buggy address belongs to the variable:
 vlan_mrp_app+0x60/0x3e80

The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x8925d
flags: 0xffe000000002000(reserved|node=0|zone=0|lastcpupid=0x7ff)
raw: 0ffe000000002000 ff1c000000249748 ff1c000000249748 0000000000000000
raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner info is not present (never set?)

Memory state around the buggy address:
 ffffffff8905d800: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
 ffffffff8905d880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffffffff8905d900: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
                   ^
 ffffffff8905d980: 00 00 00 00 00 00 00 00 f9 f9 f9 f9 00 00 00 00
 ffffffff8905da00: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================

Crashes (19):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2024/06/10 09:17 git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes e2c79b4c5c4d 82c05ab8 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu2-riscv64 KASAN: global-out-of-bounds Read in __hw_addr_add_ex
2024/06/10 09:16 git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes e2c79b4c5c4d 82c05ab8 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu2-riscv64 KASAN: global-out-of-bounds Read in __hw_addr_add_ex
2024/06/07 10:06 git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes e2c79b4c5c4d 121701b6 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu2-riscv64 KASAN: global-out-of-bounds Read in __hw_addr_add_ex
2024/06/07 10:05 git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes e2c79b4c5c4d 121701b6 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu2-riscv64 KASAN: global-out-of-bounds Read in __hw_addr_add_ex
2024/06/07 05:01 git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes e2c79b4c5c4d 121701b6 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu2-riscv64 KASAN: global-out-of-bounds Read in __hw_addr_add_ex
2024/06/07 05:00 git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes e2c79b4c5c4d 121701b6 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu2-riscv64 KASAN: global-out-of-bounds Read in __hw_addr_add_ex
2024/06/04 01:39 git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes 7932b172ac7e a1feae05 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu2-riscv64 KASAN: global-out-of-bounds Read in __hw_addr_add_ex
2024/06/02 14:38 git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes 7932b172ac7e 3113787f .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu2-riscv64 KASAN: global-out-of-bounds Read in __hw_addr_add_ex
2024/06/02 14:37 git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes 7932b172ac7e 3113787f .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu2-riscv64 KASAN: global-out-of-bounds Read in __hw_addr_add_ex
2024/06/02 13:12 git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes 7932b172ac7e 3113787f .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu2-riscv64 KASAN: global-out-of-bounds Read in __hw_addr_add_ex
2024/06/02 13:11 git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes 7932b172ac7e 3113787f .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu2-riscv64 KASAN: global-out-of-bounds Read in __hw_addr_add_ex
2024/06/02 13:04 git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes 7932b172ac7e 3113787f .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu2-riscv64 KASAN: global-out-of-bounds Read in __hw_addr_add_ex
2024/06/02 13:03 git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes 7932b172ac7e 3113787f .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu2-riscv64 KASAN: global-out-of-bounds Read in __hw_addr_add_ex
2024/06/02 12:58 git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes 7932b172ac7e 3113787f .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu2-riscv64 KASAN: global-out-of-bounds Read in __hw_addr_add_ex
2024/06/02 12:58 git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes 7932b172ac7e 3113787f .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu2-riscv64 KASAN: global-out-of-bounds Read in __hw_addr_add_ex
2024/06/02 12:55 git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes 7932b172ac7e 3113787f .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu2-riscv64 KASAN: global-out-of-bounds Read in __hw_addr_add_ex
2024/06/02 12:54 git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes 7932b172ac7e 3113787f .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu2-riscv64 KASAN: global-out-of-bounds Read in __hw_addr_add_ex
2024/05/30 20:01 git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes 1613e604df0c 34889ee3 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu2-riscv64 KASAN: global-out-of-bounds Read in __hw_addr_add_ex
2024/05/30 20:00 git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes 1613e604df0c 34889ee3 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu2-riscv64 KASAN: global-out-of-bounds Read in __hw_addr_add_ex
* Struck through repros no longer work on HEAD.