syzbot


KASAN: user-memory-access Read in ip6_hold_safe (3)

Status: fixed on 2019/10/04 12:05
Subsystems: net
[Documentation on labels]
Reported-by: syzbot+a5b6e01ec8116d046842@syzkaller.appspotmail.com
Fix commit: c3bcde026684 tipc: pass tunnel dev as NULL to udp_tunnel(6)_xmit_skb
First crash: 1969d, last: 1943d
Discussions (4)
Title Replies (including bot) Last reply
Reminder: 10 open syzbot bugs in "net/sctp" subsystem 1 (1) 2019/07/24 02:27
Reminder: 14 open syzbot bugs in "net/sctp" subsystem 1 (1) 2019/06/25 05:49
KASAN: user-memory-access Read in ip6_hold_safe (3) 4 (5) 2019/06/24 04:38
general protection fault in tcp_v6_connect 2 (3) 2019/06/03 06:59
Similar bugs (3)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.19 KASAN: user-memory-access Read in ip6_hold_safe 1 1943d 1943d 0/1 auto-closed as invalid on 2019/10/25 08:37
upstream KASAN: user-memory-access Read in ip6_hold_safe net 20 2022d 2100d 0/28 closed as invalid on 2019/04/02 18:33
upstream KASAN: user-memory-access Read in ip6_hold_safe (2) net 3 1991d 2002d 0/28 closed as invalid on 2019/05/15 22:57

Sample crash report:
==================================================================
BUG: KASAN: user-memory-access in atomic_read include/asm-generic/atomic-instrumented.h:26 [inline]
BUG: KASAN: user-memory-access in atomic_fetch_add_unless include/linux/atomic-fallback.h:1086 [inline]
BUG: KASAN: user-memory-access in atomic_add_unless include/linux/atomic-fallback.h:1111 [inline]
BUG: KASAN: user-memory-access in atomic_inc_not_zero include/linux/atomic-fallback.h:1127 [inline]
BUG: KASAN: user-memory-access in dst_hold_safe include/net/dst.h:297 [inline]
BUG: KASAN: user-memory-access in ip6_hold_safe+0xad/0x380 net/ipv6/route.c:1050
Read of size 4 at addr 000000010000003f by task syz-executor.1/11707

CPU: 0 PID: 11707 Comm: syz-executor.1 Not tainted 5.2.0-rc2+ #25
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x172/0x1f0 lib/dump_stack.c:113
 __kasan_report.cold+0x5/0x40 mm/kasan/report.c:321
 kasan_report+0x12/0x20 mm/kasan/common.c:614
 check_memory_region_inline mm/kasan/generic.c:185 [inline]
 check_memory_region+0x123/0x190 mm/kasan/generic.c:191
 kasan_check_read+0x11/0x20 mm/kasan/common.c:94
 atomic_read include/asm-generic/atomic-instrumented.h:26 [inline]
 atomic_fetch_add_unless include/linux/atomic-fallback.h:1086 [inline]
 atomic_add_unless include/linux/atomic-fallback.h:1111 [inline]
 atomic_inc_not_zero include/linux/atomic-fallback.h:1127 [inline]
 dst_hold_safe include/net/dst.h:297 [inline]
 ip6_hold_safe+0xad/0x380 net/ipv6/route.c:1050
 rt6_get_pcpu_route net/ipv6/route.c:1277 [inline]
 ip6_pol_route+0x336/0x1010 net/ipv6/route.c:2028
 ip6_pol_route_output+0x54/0x70 net/ipv6/route.c:2204
 fib6_rule_lookup+0x279/0x5a0 net/ipv6/fib6_rules.c:120
 ip6_route_output_flags+0x2c4/0x350 net/ipv6/route.c:2233
 ip6_route_output include/net/ip6_route.h:89 [inline]
 ip6_dst_lookup_tail+0xd10/0x1b30 net/ipv6/ip6_output.c:1027
 ip6_dst_lookup_flow+0xa8/0x220 net/ipv6/ip6_output.c:1155
 tcp_v6_connect+0xda3/0x20a0 net/ipv6/tcp_ipv6.c:282
 __inet_stream_connect+0x834/0xe90 net/ipv4/af_inet.c:659
 tcp_sendmsg_fastopen net/ipv4/tcp.c:1143 [inline]
 tcp_sendmsg_locked+0x2318/0x3920 net/ipv4/tcp.c:1185
 tcp_sendmsg+0x30/0x50 net/ipv4/tcp.c:1419
 inet_sendmsg+0x141/0x5d0 net/ipv4/af_inet.c:802
 sock_sendmsg_nosec net/socket.c:652 [inline]
 sock_sendmsg+0xd7/0x130 net/socket.c:671
 ___sys_sendmsg+0x803/0x920 net/socket.c:2292
 __sys_sendmsg+0x105/0x1d0 net/socket.c:2330
 __do_sys_sendmsg net/socket.c:2339 [inline]
 __se_sys_sendmsg net/socket.c:2337 [inline]
 __x64_sys_sendmsg+0x78/0xb0 net/socket.c:2337
 do_syscall_64+0xfd/0x680 arch/x86/entry/common.c:301
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x4592c9
Code: fd b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fbc8ecbfc78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00000000004592c9
RDX: 0000000020008844 RSI: 0000000020000240 RDI: 0000000000000003
RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fbc8ecc06d4
R13: 00000000004c6f76 R14: 00000000004dc0b0 R15: 00000000ffffffff
==================================================================

Crashes (456):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2019/06/20 04:05 bpf-next 94079b64255f 34bf9440 .config console log report ci-upstream-bpf-next-kasan-gce
2019/06/20 02:38 bpf-next 94079b64255f 34bf9440 .config console log report ci-upstream-bpf-next-kasan-gce
2019/06/20 00:12 bpf-next 94079b64255f 34bf9440 .config console log report ci-upstream-bpf-next-kasan-gce
2019/06/19 22:26 bpf-next 94079b64255f 34bf9440 .config console log report ci-upstream-bpf-next-kasan-gce
2019/06/19 16:12 bpf-next 94079b64255f 34bf9440 .config console log report ci-upstream-bpf-next-kasan-gce
2019/06/19 14:57 bpf-next 94079b64255f 34bf9440 .config console log report ci-upstream-bpf-next-kasan-gce
2019/06/19 13:21 bpf-next 94079b64255f 34bf9440 .config console log report ci-upstream-bpf-next-kasan-gce
2019/06/19 11:04 bpf-next 94079b64255f 34bf9440 .config console log report ci-upstream-bpf-next-kasan-gce
2019/06/19 09:28 bpf-next 94079b64255f 34bf9440 .config console log report ci-upstream-bpf-next-kasan-gce
2019/06/19 05:00 bpf-next 4d18f6de6ac1 e3f76baa .config console log report ci-upstream-bpf-next-kasan-gce
2019/06/19 03:58 bpf-next 4d18f6de6ac1 e3f76baa .config console log report ci-upstream-bpf-next-kasan-gce
2019/06/19 02:48 bpf-next 4d18f6de6ac1 e3f76baa .config console log report ci-upstream-bpf-next-kasan-gce
2019/06/19 01:18 bpf-next 4d18f6de6ac1 e3f76baa .config console log report ci-upstream-bpf-next-kasan-gce
2019/06/18 21:39 bpf-next 4d18f6de6ac1 e3f76baa .config console log report ci-upstream-bpf-next-kasan-gce
2019/06/18 20:21 bpf-next 4d18f6de6ac1 e3f76baa .config console log report ci-upstream-bpf-next-kasan-gce
2019/06/18 18:06 bpf-next 4d18f6de6ac1 e3f76baa .config console log report ci-upstream-bpf-next-kasan-gce
2019/06/18 16:46 bpf-next 4d18f6de6ac1 e3f76baa .config console log report ci-upstream-bpf-next-kasan-gce
2019/06/18 15:16 bpf-next 4d18f6de6ac1 e3f76baa .config console log report ci-upstream-bpf-next-kasan-gce
2019/06/18 10:01 bpf-next 32b88d374357 442206d7 .config console log report ci-upstream-bpf-next-kasan-gce
2019/06/18 09:12 bpf-next 32b88d374357 442206d7 .config console log report ci-upstream-bpf-next-kasan-gce
2019/06/18 08:00 bpf-next 32b88d374357 442206d7 .config console log report ci-upstream-bpf-next-kasan-gce
2019/06/18 06:48 bpf-next 32b88d374357 442206d7 .config console log report ci-upstream-bpf-next-kasan-gce
2019/06/18 04:38 bpf-next 32b88d374357 442206d7 .config console log report ci-upstream-bpf-next-kasan-gce
2019/06/18 00:45 bpf-next 7f94208c8f9a 442206d7 .config console log report ci-upstream-bpf-next-kasan-gce
2019/06/17 20:33 bpf-next 7f94208c8f9a 442206d7 .config console log report ci-upstream-bpf-next-kasan-gce
2019/06/17 15:46 bpf-next 7f94208c8f9a 442206d7 .config console log report ci-upstream-bpf-next-kasan-gce
2019/06/17 13:58 bpf-next 7f94208c8f9a 442206d7 .config console log report ci-upstream-bpf-next-kasan-gce
2019/06/17 12:33 bpf-next 7f94208c8f9a 442206d7 .config console log report ci-upstream-bpf-next-kasan-gce
2019/06/17 09:58 bpf-next 7f94208c8f9a 442206d7 .config console log report ci-upstream-bpf-next-kasan-gce
2019/06/17 07:26 bpf-next 7f94208c8f9a 442206d7 .config console log report ci-upstream-bpf-next-kasan-gce
2019/06/17 06:17 bpf-next 7f94208c8f9a 442206d7 .config console log report ci-upstream-bpf-next-kasan-gce
2019/06/17 05:17 bpf-next 7f94208c8f9a 442206d7 .config console log report ci-upstream-bpf-next-kasan-gce
2019/06/16 23:24 bpf-next 7f94208c8f9a 442206d7 .config console log report ci-upstream-bpf-next-kasan-gce
2019/06/16 15:19 bpf-next 7f94208c8f9a 442206d7 .config console log report ci-upstream-bpf-next-kasan-gce
2019/06/16 13:23 bpf-next 7f94208c8f9a 442206d7 .config console log report ci-upstream-bpf-next-kasan-gce
2019/06/16 12:02 bpf-next 7f94208c8f9a 442206d7 .config console log report ci-upstream-bpf-next-kasan-gce
2019/06/16 10:43 bpf-next 7f94208c8f9a 442206d7 .config console log report ci-upstream-bpf-next-kasan-gce
2019/06/16 09:29 bpf-next 7f94208c8f9a 442206d7 .config console log report ci-upstream-bpf-next-kasan-gce
2019/06/16 07:52 bpf-next 7f94208c8f9a 442206d7 .config console log report ci-upstream-bpf-next-kasan-gce
2019/06/16 04:29 bpf-next 7f94208c8f9a 442206d7 .config console log report ci-upstream-bpf-next-kasan-gce
2019/06/16 04:11 bpf-next 7f94208c8f9a 442206d7 .config console log report ci-upstream-bpf-next-kasan-gce
2019/06/15 22:31 bpf-next 7f94208c8f9a 442206d7 .config console log report ci-upstream-bpf-next-kasan-gce
2019/06/14 01:53 net-next-old 425b0fad9c7e a139f92f .config console log report ci-upstream-net-kasan-gce
2019/05/24 15:33 net-next-old dfb569f2b96e 0dadcd9d .config console log report ci-upstream-net-kasan-gce
2019/06/04 11:42 linux-next 56b697c6c13b e41a20c5 .config console log report ci-upstream-linux-next-kasan-gce-root
* Struck through repros no longer work on HEAD.