syzbot


KASAN: stack-out-of-bounds Read in xfrm_state_find (2)

Status: auto-obsoleted due to no activity on 2023/05/14 02:28
Reported-by: syzbot+e105038bc96ee7e50171@syzkaller.appspotmail.com
First crash: 567d, last: 567d
Cause bisection: failed (error log, bisect log)
  
Fix bisection: failed (error log, bisect log)
  
Similar bugs (14)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: stack-out-of-bounds Read in xfrm_state_find (3) net C 10353 2367d 2434d 4/27 fixed on 2018/01/31 00:24
android-44 KASAN: stack-out-of-bounds Read in xfrm_state_find C 842 1694d 1927d 0/2 public: reported C repro on 2019/04/12 00:00
android-54 KASAN: stack-out-of-bounds Read in xfrm_state_find C 1 567d 567d 0/2 upstream: reported C repro on 2023/01/01 01:05
android-5-15 KASAN: stack-out-of-bounds Read in xfrm_state_find origin:upstream missing-backport C error error 2 81d 567d 0/2 upstream: reported C repro on 2023/01/01 00:40
upstream KASAN: stack-out-of-bounds Read in xfrm_state_find (5) net C done 654 1999d 2302d 13/27 fixed on 2019/11/11 16:48
upstream KMSAN: uninit-value in xfrm_state_find net C error done 215 428d 2228d 22/27 fixed on 2023/07/01 16:05
upstream KASAN: stack-out-of-bounds Read in xfrm_state_find net C 365 2463d 2535d 0/27 closed as invalid on 2017/10/23 16:19
android-5-10 KASAN: stack-out-of-bounds Read in xfrm_state_find 1 986d 986d 0/2 closed as invalid on 2022/02/03 13:56
android-49 KASAN: stack-out-of-bounds Read in xfrm_state_find C 4151 2028d 2539d 0/3 closed as invalid on 2019/01/01 20:10
android-414 KASAN: stack-out-of-bounds Read in xfrm_state_find C 137 2001d 1928d 0/1 public: reported C repro on 2019/04/11 00:00
upstream KASAN: stack-out-of-bounds Read in xfrm_state_find (2) net C 93 2445d 2453d 3/27 fixed on 2017/11/18 01:42
android-49 KASAN: stack-out-of-bounds Read in xfrm_state_find (2) C 392 1691d 1927d 0/3 public: reported C repro on 2019/04/11 08:44
upstream KASAN: stack-out-of-bounds Read in xfrm_state_find (4) net C 102 2311d 2362d 4/27 fixed on 2018/03/23 18:14
upstream KMSAN: uninit-value in xfrm_state_find (2) net 19 102d 261d 0/27 auto-obsoleted due to no activity on 2024/07/18 11:50
Last patch testing requests (1)
Created Duration User Patch Repo Result
2023/05/14 01:51 28m retest repro android13-5.10-lts OK log

Sample crash report:
==================================================================
BUG: KASAN: stack-out-of-bounds in jhash2 include/linux/jhash.h:138 [inline]
BUG: KASAN: stack-out-of-bounds in __xfrm6_addr_hash net/xfrm/xfrm_hash.h:16 [inline]
BUG: KASAN: stack-out-of-bounds in __xfrm6_daddr_saddr_hash net/xfrm/xfrm_hash.h:29 [inline]
BUG: KASAN: stack-out-of-bounds in __xfrm_dst_hash net/xfrm/xfrm_hash.h:95 [inline]
BUG: KASAN: stack-out-of-bounds in xfrm_dst_hash net/xfrm/xfrm_state.c:63 [inline]
BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x2ed7/0x33f0 net/xfrm/xfrm_state.c:1068
Read of size 4 at addr ffffc90000007a78 by task kworker/0:4/428

CPU: 0 PID: 428 Comm: kworker/0:4 Not tainted 5.10.160-syzkaller-01321-g003c389455eb #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Workqueue: events linkwatch_event
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack_lvl+0x1e2/0x24b lib/dump_stack.c:118
 print_address_description+0x81/0x3c0 mm/kasan/report.c:233
 __kasan_report mm/kasan/report.c:419 [inline]
 kasan_report+0x1a4/0x1f0 mm/kasan/report.c:436
 __asan_report_load4_noabort+0x14/0x20 mm/kasan/report_generic.c:308
 jhash2 include/linux/jhash.h:138 [inline]
 __xfrm6_addr_hash net/xfrm/xfrm_hash.h:16 [inline]
 __xfrm6_daddr_saddr_hash net/xfrm/xfrm_hash.h:29 [inline]
 __xfrm_dst_hash net/xfrm/xfrm_hash.h:95 [inline]
 xfrm_dst_hash net/xfrm/xfrm_state.c:63 [inline]
 xfrm_state_find+0x2ed7/0x33f0 net/xfrm/xfrm_state.c:1068
 xfrm_tmpl_resolve_one net/xfrm/xfrm_policy.c:2400 [inline]
 xfrm_tmpl_resolve net/xfrm/xfrm_policy.c:2445 [inline]
 xfrm_resolve_and_create_bundle+0x66d/0x2c80 net/xfrm/xfrm_policy.c:2738
 xfrm_bundle_lookup net/xfrm/xfrm_policy.c:2973 [inline]
 xfrm_lookup_with_ifid+0xc7d/0x2440 net/xfrm/xfrm_policy.c:3104
 xfrm_lookup net/xfrm/xfrm_policy.c:3196 [inline]
 xfrm_lookup_route+0x3b/0x160 net/xfrm/xfrm_policy.c:3207
 ip_route_output_flow+0x1e7/0x310 net/ipv4/route.c:2792
 ip_route_output_ports include/net/route.h:169 [inline]
 igmpv3_newpack+0x405/0xff0 net/ipv4/igmp.c:369
 add_grhead+0x84/0x320 net/ipv4/igmp.c:440
 add_grec+0x12f8/0x1600 net/ipv4/igmp.c:574
 igmpv3_send_cr net/ipv4/igmp.c:711 [inline]
 igmp_ifc_timer_expire+0x8b0/0xfa0 net/ipv4/igmp.c:809
 call_timer_fn+0x35/0x270 kernel/time/timer.c:1420
 expire_timers+0x21b/0x3a0 kernel/time/timer.c:1465
 __run_timers+0x598/0x6f0 kernel/time/timer.c:1759
 run_timer_softirq+0x69/0xf0 kernel/time/timer.c:1772
 __do_softirq+0x27e/0x596 kernel/softirq.c:305
 asm_call_irq_on_stack+0xf/0x20
 </IRQ>
 __run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline]
 run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline]
 do_softirq_own_stack+0x60/0x80 arch/x86/kernel/irq_64.c:77
 invoke_softirq kernel/softirq.c:402 [inline]
 __irq_exit_rcu+0x128/0x150 kernel/softirq.c:432
 irq_exit_rcu+0x9/0x10 kernel/softirq.c:444
 sysvec_apic_timer_interrupt+0xbf/0xe0 arch/x86/kernel/apic/apic.c:1095
 asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:635
RIP: 0010:native_restore_fl arch/x86/include/asm/irqflags.h:41 [inline]
RIP: 0010:arch_local_irq_restore arch/x86/include/asm/irqflags.h:84 [inline]
RIP: 0010:console_unlock+0xb5c/0xf20 kernel/printk/printk.c:2555
Code: 85 db 4c 8d b4 24 60 01 00 00 0f 85 82 03 00 00 e8 49 6e 00 00 48 8b 44 24 30 48 89 84 24 90 00 00 00 ff b4 24 90 00 00 00 9d <48> 8b 44 24 38 42 80 3c 38 00 74 08 4c 89 f7 e8 d0 1a 53 00 48 c7
RSP: 0018:ffffc900010975a0 EFLAGS: 00000246
RAX: 0000000000000246 RBX: 0000000000000000 RCX: ffff88810c84cf00
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000001
RBP: ffffc90001097830 R08: ffffffff815408fb R09: 0000000000000003
R10: fffff52000212ea5 R11: 1ffff92000212ea4 R12: ffffc900010977a0
R13: 1ffffffff0cbb111 R14: ffffc90001097700 R15: dffffc0000000000
 vprintk_emit+0x44b/0x640 kernel/printk/printk.c:2063
 vprintk_default+0x26/0x30 kernel/printk/printk.c:2080
 vprintk_func+0x19d/0x1e0 kernel/printk/printk_safe.c:401
 printk+0xcf/0x10f kernel/printk/printk.c:2111
 addrconf_notify+0xbf4/0xe90 net/ipv6/addrconf.c:3620
 notifier_call_chain kernel/notifier.c:83 [inline]
 raw_notifier_call_chain+0x9e/0x110 kernel/notifier.c:410
 call_netdevice_notifiers_info net/core/dev.c:2054 [inline]
 netdev_state_change+0x1ba/0x280 net/core/dev.c:1484
 linkwatch_do_dev+0xfe/0x140 net/core/link_watch.c:167
 __linkwatch_run_queue+0x4f5/0x7f0 net/core/link_watch.c:213
 linkwatch_event+0x4c/0x60 net/core/link_watch.c:252
 process_one_work+0x726/0xc10 kernel/workqueue.c:2296
 worker_thread+0xb27/0x1550 kernel/workqueue.c:2442
 kthread+0x349/0x3d0 kernel/kthread.c:313
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:299


Memory state around the buggy address:
 ffffc90000007900: 00 00 00 00 00 00 f3 f3 f3 f3 f3 f3 00 00 00 00
 ffffc90000007980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffffc90000007a00: 00 00 00 00 f1 f1 f1 f1 00 00 00 00 00 00 00 f3
                                                                ^
 ffffc90000007a80: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
 ffffc90000007b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
----------------
Code disassembly (best guess):
   0:	85 db                	test   %ebx,%ebx
   2:	4c 8d b4 24 60 01 00 	lea    0x160(%rsp),%r14
   9:	00
   a:	0f 85 82 03 00 00    	jne    0x392
  10:	e8 49 6e 00 00       	callq  0x6e5e
  15:	48 8b 44 24 30       	mov    0x30(%rsp),%rax
  1a:	48 89 84 24 90 00 00 	mov    %rax,0x90(%rsp)
  21:	00
  22:	ff b4 24 90 00 00 00 	pushq  0x90(%rsp)
  29:	9d                   	popfq
* 2a:	48 8b 44 24 38       	mov    0x38(%rsp),%rax <-- trapping instruction
  2f:	42 80 3c 38 00       	cmpb   $0x0,(%rax,%r15,1)
  34:	74 08                	je     0x3e
  36:	4c 89 f7             	mov    %r14,%rdi
  39:	e8 d0 1a 53 00       	callq  0x531b0e
  3e:	48                   	rex.W
  3f:	c7                   	.byte 0xc7

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2023/01/01 00:59 android12-5.10-lts 003c389455eb ab32d508 .config console log report syz [disk image] [vmlinux] [kernel image] ci2-android-5-10 KASAN: stack-out-of-bounds Read in xfrm_state_find
* Struck through repros no longer work on HEAD.