syzbot


KASAN: use-after-free Read in __dev_queue_xmit

Status: upstream: reported C repro on 2021/04/30 04:08
Reported-by: syzbot+92833989808cfa785fb7@syzkaller.appspotmail.com
First crash: 1316d, last: 644d
Fix bisection: failed (error log, bisect log)
  
Similar bugs (10)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
android-49 KASAN: use-after-free Read in __dev_queue_xmit C 46 1841d 2064d 0/3 public: reported C repro on 2019/04/13 00:00
upstream KASAN: use-after-free Read in __dev_queue_xmit (4) block 1 1594d 1594d 0/28 auto-closed as invalid on 2020/10/23 09:56
upstream KASAN: use-after-free Read in __dev_queue_xmit (5) block C unreliable error 49 279d 1158d 0/28 upstream: reported C repro on 2021/10/04 21:37
upstream KASAN: use-after-free Read in __dev_queue_xmit (2) net C 2 2391d 2391d 5/28 fixed on 2018/06/07 13:52
upstream KASAN: use-after-free Read in __dev_queue_xmit (3) net 11 2257d 2261d 11/28 fixed on 2018/11/12 21:25
linux-6.1 KASAN: use-after-free Read in __dev_queue_xmit origin:upstream C error 2 223d 586d 0/3 upstream: reported C repro on 2023/04/29 13:33
linux-5.15 KASAN: use-after-free Read in __dev_queue_xmit origin:upstream missing-backport C error 3 307d 557d 0/3 upstream: reported C repro on 2023/05/28 17:42
upstream KASAN: use-after-free Read in __dev_queue_xmit net C 10 2409d 2527d 5/28 fixed on 2018/05/09 07:47
linux-4.14 KASAN: use-after-free Read in __dev_queue_xmit C error 1 818d 1029d 0/1 upstream: reported C repro on 2022/02/10 06:42
upstream BUG: unable to handle kernel paging request in __dev_queue_xmit block 1 1324d 1315d 0/28 auto-closed as invalid on 2021/06/21 04:04
Fix bisection attempts (2)
Created Duration User Patch Repo Result
2021/11/08 09:22 11m bisect fix linux-4.19.y error job log
2021/10/09 08:54 27m bisect fix linux-4.19.y OK (0) job log log

Sample crash report:
bond4647: The slave device specified does not support setting the MAC address
ieee802154 phy0 wpan0: encryption failed: -22
ieee802154 phy1 wpan1: encryption failed: -22
netlink: 'syz-executor804': attribute type 1 has an invalid length.
==================================================================
BUG: KASAN: use-after-free in __read_once_size include/linux/compiler.h:263 [inline]
BUG: KASAN: use-after-free in __dev_queue_xmit+0x2a94/0x2e00 net/core/dev.c:3803
Read of size 8 at addr ffff88803fa96848 by task aoe_tx0/3133

CPU: 0 PID: 3133 Comm: aoe_tx0 Not tainted 4.19.211-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/16/2023
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1fc/0x2ef lib/dump_stack.c:118
 print_address_description.cold+0x54/0x219 mm/kasan/report.c:256
 kasan_report_error.cold+0x8a/0x1b9 mm/kasan/report.c:354
 kasan_report mm/kasan/report.c:412 [inline]
 __asan_report_load8_noabort+0x88/0x90 mm/kasan/report.c:433
 __read_once_size include/linux/compiler.h:263 [inline]
 __dev_queue_xmit+0x2a94/0x2e00 net/core/dev.c:3803
 tx+0x68/0xb0 drivers/block/aoe/aoenet.c:63
 kthread+0x1d9/0x390 drivers/block/aoe/aoecmd.c:1241
 kthread+0x33f/0x460 kernel/kthread.c:259
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415

Allocated by task 32231:
 __do_kmalloc_node mm/slab.c:3689 [inline]
 __kmalloc_node+0x4c/0x70 mm/slab.c:3696
 kmalloc_node include/linux/slab.h:557 [inline]
 kvmalloc_node+0x61/0xf0 mm/util.c:423
 kvmalloc include/linux/mm.h:577 [inline]
 kvzalloc include/linux/mm.h:585 [inline]
 netif_alloc_netdev_queues net/core/dev.c:8594 [inline]
 alloc_netdev_mqs+0x69f/0xd50 net/core/dev.c:9197
 rtnl_create_link+0x1d4/0xa40 net/core/rtnetlink.c:2869
 rtnl_newlink+0xf45/0x15c0 net/core/rtnetlink.c:3131
 rtnetlink_rcv_msg+0x453/0xb80 net/core/rtnetlink.c:4782
 netlink_rcv_skb+0x160/0x440 net/netlink/af_netlink.c:2463
 netlink_unicast_kernel net/netlink/af_netlink.c:1325 [inline]
 netlink_unicast+0x4d5/0x690 net/netlink/af_netlink.c:1351
 netlink_sendmsg+0x6c3/0xc50 net/netlink/af_netlink.c:1917
 sock_sendmsg_nosec net/socket.c:651 [inline]
 sock_sendmsg+0xc3/0x120 net/socket.c:661
 ___sys_sendmsg+0x7bb/0x8e0 net/socket.c:2227
 __sys_sendmsg net/socket.c:2265 [inline]
 __do_sys_sendmsg net/socket.c:2274 [inline]
 __se_sys_sendmsg net/socket.c:2272 [inline]
 __x64_sys_sendmsg+0x132/0x220 net/socket.c:2272
 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 32231:
 __cache_free mm/slab.c:3503 [inline]
 kfree+0xcc/0x210 mm/slab.c:3822
 kvfree+0x59/0x60 mm/util.c:452
 netif_free_tx_queues net/core/dev.c:8582 [inline]
 free_netdev+0x57/0x410 net/core/dev.c:9241
 netdev_run_todo+0x89b/0xab0 net/core/dev.c:9002
 rtnl_unlock net/core/rtnetlink.c:117 [inline]
 rtnetlink_rcv_msg+0x460/0xb80 net/core/rtnetlink.c:4783
 netlink_rcv_skb+0x160/0x440 net/netlink/af_netlink.c:2463
 netlink_unicast_kernel net/netlink/af_netlink.c:1325 [inline]
 netlink_unicast+0x4d5/0x690 net/netlink/af_netlink.c:1351
 netlink_sendmsg+0x6c3/0xc50 net/netlink/af_netlink.c:1917
 sock_sendmsg_nosec net/socket.c:651 [inline]
 sock_sendmsg+0xc3/0x120 net/socket.c:661
 ___sys_sendmsg+0x7bb/0x8e0 net/socket.c:2227
 __sys_sendmsg net/socket.c:2265 [inline]
 __do_sys_sendmsg net/socket.c:2274 [inline]
 __se_sys_sendmsg net/socket.c:2272 [inline]
 __x64_sys_sendmsg+0x132/0x220 net/socket.c:2272
 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at ffff88803fa96840
 which belongs to the cache kmalloc-512 of size 512
The buggy address is located 8 bytes inside of
 512-byte region [ffff88803fa96840, ffff88803fa96a40)
The buggy address belongs to the page:
page:ffffea0000fea580 count:1 mapcount:0 mapping:ffff88813bff0940 index:0x0
flags: 0xfff00000000100(slab)
raw: 00fff00000000100 ffffea0001465e88 ffffea0000fea988 ffff88813bff0940
raw: 0000000000000000 ffff88803fa960c0 0000000100000006 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88803fa96700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff88803fa96780: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
>ffff88803fa96800: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
                                              ^
 ffff88803fa96880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88803fa96900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (15):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2023/03/02 16:58 linux-4.19.y 3f8a27f9e27b f8902b57 .config console log report syz C [disk image] [vmlinux] ci2-linux-4-19 KASAN: use-after-free Read in __dev_queue_xmit
2022/10/10 09:52 linux-4.19.y 3f8a27f9e27b aea5da89 .config console log report syz C [disk image] [vmlinux] ci2-linux-4-19 KASAN: use-after-free Read in __dev_queue_xmit
2022/10/09 06:47 linux-4.19.y 3f8a27f9e27b aea5da89 .config console log report syz C [disk image] [vmlinux] ci2-linux-4-19 KASAN: use-after-free Read in __dev_queue_xmit
2022/09/14 20:50 linux-4.19.y 3f8a27f9e27b b884348d .config console log report syz C ci2-linux-4-19 KASAN: use-after-free Read in __dev_queue_xmit
2022/05/13 20:23 linux-4.19.y 3f8a27f9e27b 7ce5a022 .config console log report syz C ci2-linux-4-19 KASAN: use-after-free Read in __dev_queue_xmit
2022/01/24 13:07 linux-4.19.y 3f8a27f9e27b 214351e1 .config console log report syz C ci2-linux-4-19 KASAN: use-after-free Read in __dev_queue_xmit
2021/12/30 06:02 linux-4.19.y 3f8a27f9e27b 6cc879d4 .config console log report syz C ci2-linux-4-19 KASAN: use-after-free Read in __dev_queue_xmit
2021/12/22 10:32 linux-4.19.y 3f8a27f9e27b 6caa12e4 .config console log report syz C ci2-linux-4-19 KASAN: use-after-free Read in __dev_queue_xmit
2021/09/09 08:05 linux-4.19.y b172b44fcb17 e2776ee4 .config console log report syz C ci2-linux-4-19 KASAN: use-after-free Read in __dev_queue_xmit
2022/02/01 18:12 linux-4.19.y 3f8a27f9e27b c1c1631d .config console log report info ci2-linux-4-19 KASAN: use-after-free Read in __dev_queue_xmit
2022/02/01 17:02 linux-4.19.y 3f8a27f9e27b c1c1631d .config console log report info ci2-linux-4-19 KASAN: use-after-free Read in __dev_queue_xmit
2022/01/11 18:49 linux-4.19.y 3f8a27f9e27b 1884f55a .config console log report info ci2-linux-4-19 KASAN: use-after-free Read in __dev_queue_xmit
2021/08/26 03:11 linux-4.19.y 59456c9cc40c b599f2fc .config console log report info ci2-linux-4-19 KASAN: use-after-free Read in __dev_queue_xmit
2021/08/01 09:18 linux-4.19.y 53bd76690e27 6c236867 .config console log report info ci2-linux-4-19 KASAN: use-after-free Read in __dev_queue_xmit
2021/04/30 04:07 linux-4.19.y 97a8651cadce 77e2b668 .config console log report info ci2-linux-4-19 KASAN: use-after-free Read in __dev_queue_xmit
* Struck through repros no longer work on HEAD.