syzbot


KASAN: use-after-free Read in __dev_queue_xmit (5)

Status: upstream: reported C repro on 2021/10/04 21:37
Subsystems: block
[Documentation on labels]
Reported-by: syzbot+b7be9429f37d15205470@syzkaller.appspotmail.com
First crash: 1056d, last: 79d
Cause bisection: introduced by (bisect log) [no-op commit]:
commit 349181b7b86367bfe66341c6fc2708f01c568f0d
Author: Karen Sornek <karen.sornek@intel.com>
Date: Mon Aug 30 08:38:01 2021 +0000

  iavf: Fix static code analysis warning

Crash: KASAN: use-after-free Read in __dev_queue_xmit (log)
Repro: C syz .config
  
Fix bisection: failed (error log, bisect log)
  
Discussions (8)
Title Replies (including bot) Last reply
[syzbot] Monthly block report (Mar 2024) 0 (1) 2024/03/12 09:29
[syzbot] Monthly block report (Jan 2024) 0 (1) 2024/01/09 18:20
[syzbot] Monthly block report (Dec 2023) 0 (1) 2023/12/10 10:05
[syzbot] Monthly block report (Oct 2023) 0 (1) 2023/10/09 09:23
[syzbot] Monthly block report (Sep 2023) 0 (1) 2023/09/07 09:25
[syzbot] Monthly block report (Jul 2023) 0 (1) 2023/07/06 14:17
[syzbot] Monthly block report (Jun 2023) 0 (1) 2023/06/07 09:10
[syzbot] KASAN: use-after-free Read in __dev_queue_xmit (5) 0 (2) 2021/12/13 22:46
Similar bugs (10)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
android-49 KASAN: use-after-free Read in __dev_queue_xmit C 46 1641d 1864d 0/3 public: reported C repro on 2019/04/13 00:00
upstream KASAN: use-after-free Read in __dev_queue_xmit (4) block 1 1394d 1394d 0/26 auto-closed as invalid on 2020/10/23 09:56
upstream KASAN: use-after-free Read in __dev_queue_xmit (2) net C 2 2191d 2191d 5/26 fixed on 2018/06/07 13:52
upstream KASAN: use-after-free Read in __dev_queue_xmit (3) net 11 2057d 2061d 11/26 fixed on 2018/11/12 21:25
linux-6.1 KASAN: use-after-free Read in __dev_queue_xmit origin:upstream C 2 23d 386d 0/3 upstream: reported C repro on 2023/04/29 13:33
linux-5.15 KASAN: use-after-free Read in __dev_queue_xmit origin:upstream missing-backport C error 3 107d 357d 0/3 upstream: reported C repro on 2023/05/28 17:42
linux-4.19 KASAN: use-after-free Read in __dev_queue_xmit C error 15 444d 1115d 0/1 upstream: reported C repro on 2021/04/30 04:08
upstream KASAN: use-after-free Read in __dev_queue_xmit net C 10 2209d 2327d 5/26 fixed on 2018/05/09 07:47
linux-4.14 KASAN: use-after-free Read in __dev_queue_xmit C error 1 618d 829d 0/1 upstream: reported C repro on 2022/02/10 06:42
upstream BUG: unable to handle kernel paging request in __dev_queue_xmit block 1 1123d 1115d 0/26 auto-closed as invalid on 2021/06/21 04:04
Last patch testing requests (10)
Created Duration User Patch Repo Result
2024/03/19 07:54 26m retest repro git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci report log
2023/12/29 20:54 36m retest repro linux-next OK log
2023/12/29 20:54 41m retest repro linux-next OK log
2023/12/29 20:54 33m retest repro linux-next OK log
2023/12/29 20:54 24m retest repro git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci report log
2023/12/03 09:00 23m retest repro net OK log
2023/12/03 09:00 22m retest repro net OK log
2023/10/13 11:57 23m retest repro git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci report log
2023/10/13 08:27 19m retest repro net-next OK log
2023/10/13 08:27 20m retest repro net-next OK log

Sample crash report:
==================================================================
BUG: KASAN: slab-use-after-free in skb_update_prio net/core/dev.c:3889 [inline]
BUG: KASAN: slab-use-after-free in __dev_queue_xmit+0x548/0x3318 net/core/dev.c:4169
Read of size 8 at addr ffff000158f40ba0 by task aoe_tx0/2149

CPU: 0 PID: 2149 Comm: aoe_tx0 Not tainted 6.4.0-rc3-syzkaller-geb0f1697d729 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023
Call trace:
 dump_backtrace+0x1b8/0x1e4 arch/arm64/kernel/stacktrace.c:233
 show_stack+0x2c/0x44 arch/arm64/kernel/stacktrace.c:240
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xd0/0x124 lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:351 [inline]
 print_report+0x174/0x514 mm/kasan/report.c:462
 kasan_report+0xd4/0x130 mm/kasan/report.c:572
 __asan_report_load8_noabort+0x20/0x2c mm/kasan/report_generic.c:381
 skb_update_prio net/core/dev.c:3889 [inline]
 __dev_queue_xmit+0x548/0x3318 net/core/dev.c:4169
 dev_queue_xmit include/linux/netdevice.h:3085 [inline]
 tx+0x90/0x134 drivers/block/aoe/aoenet.c:63
 kthread+0x1ac/0x374 drivers/block/aoe/aoecmd.c:1229
 kthread+0x288/0x310 kernel/kthread.c:379
 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:853

Allocated by task 12219:
 kasan_save_stack mm/kasan/common.c:45 [inline]
 kasan_set_track+0x4c/0x7c mm/kasan/common.c:52
 kasan_save_alloc_info+0x24/0x30 mm/kasan/generic.c:510
 ____kasan_kmalloc mm/kasan/common.c:374 [inline]
 __kasan_kmalloc+0xac/0xc4 mm/kasan/common.c:383
 kasan_kmalloc include/linux/kasan.h:196 [inline]
 __do_kmalloc_node mm/slab_common.c:966 [inline]
 __kmalloc_node+0xd4/0x1c4 mm/slab_common.c:973
 kmalloc_node include/linux/slab.h:579 [inline]
 kvmalloc_node+0x84/0x1c8 mm/util.c:604
 kvmalloc include/linux/slab.h:697 [inline]
 kvzalloc include/linux/slab.h:705 [inline]
 alloc_netdev_mqs+0x94/0xc04 net/core/dev.c:10626
 rtnl_create_link+0x2bc/0xc50 net/core/rtnetlink.c:3315
 rtnl_newlink_create net/core/rtnetlink.c:3433 [inline]
 __rtnl_newlink net/core/rtnetlink.c:3660 [inline]
 rtnl_newlink+0x1048/0x1b1c net/core/rtnetlink.c:3673
 rtnetlink_rcv_msg+0x744/0xdb8 net/core/rtnetlink.c:6395
 netlink_rcv_skb+0x214/0x3c4 net/netlink/af_netlink.c:2546
 rtnetlink_rcv+0x28/0x38 net/core/rtnetlink.c:6413
 netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline]
 netlink_unicast+0x660/0x8d4 net/netlink/af_netlink.c:1365
 netlink_sendmsg+0x834/0xb18 net/netlink/af_netlink.c:1913
 sock_sendmsg_nosec net/socket.c:724 [inline]
 sock_sendmsg net/socket.c:747 [inline]
 ____sys_sendmsg+0x568/0x81c net/socket.c:2503
 ___sys_sendmsg net/socket.c:2557 [inline]
 __sys_sendmsg+0x26c/0x33c net/socket.c:2586
 __do_sys_sendmsg net/socket.c:2595 [inline]
 __se_sys_sendmsg net/socket.c:2593 [inline]
 __arm64_sys_sendmsg+0x80/0x94 net/socket.c:2593
 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
 invoke_syscall+0x98/0x2c0 arch/arm64/kernel/syscall.c:52
 el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
 do_el0_svc+0x64/0x198 arch/arm64/kernel/syscall.c:193
 el0_svc+0x4c/0x15c arch/arm64/kernel/entry-common.c:637
 el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:591

Freed by task 12219:
 kasan_save_stack mm/kasan/common.c:45 [inline]
 kasan_set_track+0x4c/0x7c mm/kasan/common.c:52
 kasan_save_free_info+0x38/0x5c mm/kasan/generic.c:521
 ____kasan_slab_free+0x144/0x1c0 mm/kasan/common.c:236
 __kasan_slab_free+0x18/0x28 mm/kasan/common.c:244
 kasan_slab_free include/linux/kasan.h:162 [inline]
 slab_free_hook mm/slub.c:1781 [inline]
 slab_free_freelist_hook mm/slub.c:1807 [inline]
 slab_free mm/slub.c:3786 [inline]
 __kmem_cache_free+0x2a8/0x49c mm/slub.c:3799
 kfree+0xb8/0x19c mm/slab_common.c:1015
 kvfree+0x40/0x50 mm/util.c:650
 netdev_freemem+0x4c/0x64 net/core/dev.c:10580
 netdev_release+0x88/0xb0 net/core/net-sysfs.c:1938
 device_release+0x8c/0x1ac
 kobject_cleanup lib/kobject.c:683 [inline]
 kobject_release lib/kobject.c:714 [inline]
 kref_put include/linux/kref.h:65 [inline]
 kobject_put+0x2a8/0x41c lib/kobject.c:731
 netdev_run_todo+0xcf0/0xe08 net/core/dev.c:10400
 rtnl_unlock net/core/rtnetlink.c:151 [inline]
 rtnetlink_rcv_msg+0xa6c/0xdb8 net/core/rtnetlink.c:6396
 netlink_rcv_skb+0x214/0x3c4 net/netlink/af_netlink.c:2546
 rtnetlink_rcv+0x28/0x38 net/core/rtnetlink.c:6413
 netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline]
 netlink_unicast+0x660/0x8d4 net/netlink/af_netlink.c:1365
 netlink_sendmsg+0x834/0xb18 net/netlink/af_netlink.c:1913
 sock_sendmsg_nosec net/socket.c:724 [inline]
 sock_sendmsg net/socket.c:747 [inline]
 ____sys_sendmsg+0x568/0x81c net/socket.c:2503
 ___sys_sendmsg net/socket.c:2557 [inline]
 __sys_sendmsg+0x26c/0x33c net/socket.c:2586
 __do_sys_sendmsg net/socket.c:2595 [inline]
 __se_sys_sendmsg net/socket.c:2593 [inline]
 __arm64_sys_sendmsg+0x80/0x94 net/socket.c:2593
 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
 invoke_syscall+0x98/0x2c0 arch/arm64/kernel/syscall.c:52
 el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
 do_el0_svc+0x64/0x198 arch/arm64/kernel/syscall.c:193
 el0_svc+0x4c/0x15c arch/arm64/kernel/entry-common.c:637
 el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:591

The buggy address belongs to the object at ffff000158f40000
 which belongs to the cache kmalloc-cg-4k of size 4096
The buggy address is located 2976 bytes inside of
 freed 4096-byte region [ffff000158f40000, ffff000158f41000)

The buggy address belongs to the physical page:
page:00000000aa0c4398 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x198f40
head:00000000aa0c4398 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0x5ffc00000010200(slab|head|node=0|zone=2|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 05ffc00000010200 ffff0000c000ca80 fffffc0005772e00 dead000000000002
raw: 0000000000000000 0000000080040004 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff000158f40a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff000158f40b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff000158f40b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                               ^
 ffff000158f40c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff000158f40c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
 selects TX queue 0, but real number of TX queues is 0

Crashes (49):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2023/05/28 17:49 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci eb0f1697d729 cf184559 .config console log report syz C [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: slab-use-after-free Read in __dev_queue_xmit
2022/05/15 14:31 upstream 2fe1020d73ca 744a39e2 .config console log report syz C ci-upstream-kasan-gce-smack-root KASAN: use-after-free Read in __dev_queue_xmit
2021/12/21 07:28 net-old 75a2f3152009 62bd192b .config console log report syz C ci-upstream-net-this-kasan-gce KASAN: use-after-free Read in __dev_queue_xmit
2022/05/16 09:39 net-next-old d9713088158b 744a39e2 .config console log report syz C ci-upstream-net-kasan-gce KASAN: use-after-free Read in __dev_queue_xmit
2022/01/20 08:11 net-next-old fe8152b38d3a 5da9499f .config console log report syz C ci-upstream-net-kasan-gce KASAN: use-after-free Read in __dev_queue_xmit
2021/12/26 07:01 net-next-old 7c63f26cb518 6caa12e4 .config console log report syz C ci-upstream-net-kasan-gce KASAN: use-after-free Read in __dev_queue_xmit
2021/12/13 22:45 net-next-old 9b5bcb193a3b 49ca1f59 .config console log report syz C ci-upstream-net-kasan-gce KASAN: use-after-free Read in __dev_queue_xmit
2022/07/09 07:15 linux-next cb71b93c2dc3 b5765a15 .config console log report syz C ci-upstream-linux-next-kasan-gce-root KASAN: use-after-free Read in __dev_queue_xmit
2022/05/23 08:37 linux-next 18ecd30af1a8 7268fa62 .config console log report syz C ci-upstream-linux-next-kasan-gce-root KASAN: use-after-free Read in __dev_queue_xmit
2022/05/15 12:39 linux-next 1e1b28b936ae 744a39e2 .config console log report syz C ci-upstream-linux-next-kasan-gce-root KASAN: use-after-free Read in __dev_queue_xmit
2023/03/02 17:03 net-old fb07390463c9 f8902b57 .config console log report syz C [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce KASAN: slab-use-after-free Read in __dev_queue_xmit
2023/09/04 16:17 upstream 708283abf896 8bc9053e .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root KASAN: use-after-free Read in __dev_queue_xmit
2022/01/12 23:40 upstream f079ab01b560 44d1319a .config console log report info ci-upstream-kasan-gce-smack-root KASAN: use-after-free Read in __dev_queue_xmit
2021/11/24 04:15 upstream 5d9f4cf36721 545ab074 .config console log report info ci-upstream-kasan-gce-smack-root KASAN: use-after-free Read in __dev_queue_xmit
2021/11/21 01:12 upstream a90af8f15bdc 4eb20a4e .config console log report info ci-upstream-kasan-gce-selinux-root KASAN: use-after-free Read in __dev_queue_xmit
2021/10/25 13:51 upstream 87066fdd2e30 4f0000ee .config console log report info ci-upstream-kasan-gce-root KASAN: use-after-free Read in __dev_queue_xmit
2021/09/29 05:10 upstream a4e6f95a891a d82cb927 .config console log report info ci-upstream-kasan-gce-root KASAN: use-after-free Read in __dev_queue_xmit
2021/08/30 17:36 upstream 7d2a07b76933 8f58a0ef .config console log report info ci-upstream-kasan-gce-smack-root KASAN: use-after-free Read in __dev_queue_xmit
2021/06/28 21:51 upstream 62fb9874f5da 9d2ab5df .config console log report info ci-upstream-kasan-gce-smack-root KASAN: use-after-free Read in __dev_queue_xmit
2023/10/27 08:28 net c17cda15cc86 bf285f0c .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce KASAN: use-after-free Read in __dev_queue_xmit
2022/09/14 05:24 net-old 0727a9a5fbc1 b884348d .config console log report info [disk image] [vmlinux] ci-upstream-net-this-kasan-gce KASAN: use-after-free Read in __dev_queue_xmit
2022/08/23 00:19 net-old 3c53cd65dece 26a13b38 .config console log report info ci-upstream-net-this-kasan-gce KASAN: use-after-free Read in __dev_queue_xmit
2022/06/24 06:50 net-old 12378a5a75e3 912f5df7 .config console log report info ci-upstream-net-this-kasan-gce KASAN: use-after-free Read in __dev_queue_xmit
2022/05/23 20:04 net-old 8c3b8dc5cc9b 4c7657cb .config console log report info ci-upstream-net-this-kasan-gce KASAN: use-after-free Read in __dev_queue_xmit
2022/04/10 16:10 net-old 8d3a6c37d50d e22c3da3 .config console log report info ci-upstream-net-this-kasan-gce KASAN: use-after-free Read in __dev_queue_xmit
2021/09/25 11:08 net-old 7fe7f3182a0d 8cac236e .config console log report info ci-upstream-net-this-kasan-gce KASAN: use-after-free Read in __dev_queue_xmit
2022/11/05 02:24 net-next-old fbeb229a6622 6d752409 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce KASAN: use-after-free Read in __dev_queue_xmit
2022/09/21 20:53 net-next-old c29b06821590 380f82fb .config console log report info [disk image] [vmlinux] ci-upstream-net-kasan-gce KASAN: use-after-free Read in __dev_queue_xmit
2022/08/10 07:21 net-next-old 3c47fb2f4c4d c2a623d6 .config console log report info ci-upstream-net-kasan-gce KASAN: use-after-free Read in __dev_queue_xmit
2022/07/19 20:43 net-next-old e22c88799f26 72a3cc0c .config console log report info ci-upstream-net-kasan-gce KASAN: use-after-free Read in __dev_queue_xmit
2021/08/09 20:18 linux-next da454ebf578f 6972b106 .config console log report info ci-upstream-linux-next-kasan-gce-root KASAN: use-after-free Read in __dev_queue_xmit
2024/03/02 03:13 upstream 17ba56605bfd 25905f5d .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-badwrites-root KASAN: slab-use-after-free Read in __dev_queue_xmit
2024/02/13 01:09 upstream 716f4aaa7b48 77b23aa1 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce KASAN: slab-use-after-free Read in __dev_queue_xmit
2024/01/14 13:07 upstream 052d534373b7 551587c1 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root KASAN: slab-use-after-free Read in __dev_queue_xmit
2024/01/09 01:34 upstream 5db8752c3b81 4c0fd4bb .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root KASAN: slab-use-after-free Read in __dev_queue_xmit
2023/12/15 19:41 upstream 3f7168591ebf 3222d10c .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root KASAN: slab-use-after-free Read in __dev_queue_xmit
2023/11/19 09:00 upstream 05aa69b096a0 cb976f63 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root KASAN: slab-use-after-free Read in __dev_queue_xmit
2023/10/22 21:07 upstream fe3cfe869d5e 361b23dc .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-badwrites-root KASAN: slab-use-after-free Read in __dev_queue_xmit
2023/09/20 22:48 upstream 5d2f53532ecc 0b6a67ac .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-selinux-root KASAN: slab-use-after-free Read in __dev_queue_xmit
2023/10/15 10:39 upstream 9a3dad63edbe f757a323 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu2-arm32 Internal error in __dev_queue_xmit
2023/09/29 02:46 upstream 633b47cb009d d265efd8 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu2-arm32 Internal error in __dev_queue_xmit
2023/06/22 12:35 upstream dad9774deaf1 09ffe269 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root KASAN: slab-use-after-free Read in __dev_queue_xmit
2023/04/14 05:55 upstream 44149752e998 3cfcaa1b .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-selinux-root KASAN: slab-use-after-free Read in __dev_queue_xmit
2023/08/18 21:07 upstream 8abd7287db92 d216d8a0 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-386 KASAN: slab-use-after-free Read in __dev_queue_xmit
2024/02/17 10:30 net-next 71b605d32017 578f7538 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-net-next-test-gce KASAN: slab-use-after-free Read in __dev_queue_xmit
2023/09/04 16:34 net-next bd6c11bc43c4 8bc9053e .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce KASAN: slab-use-after-free Read in __dev_queue_xmit
2023/12/09 06:01 linux-next 8e00ce02066e 28b24332 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: slab-use-after-free Read in __dev_queue_xmit
2023/08/26 00:20 linux-next 626932085009 03d9c195 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: slab-use-after-free Read in __dev_queue_xmit
2023/04/08 09:35 linux-next e134c93f788f 71147e29 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: slab-use-after-free Read in __dev_queue_xmit
* Struck through repros no longer work on HEAD.