syzbot

 sign-in | mailing list | source | docs
🐞 Open [1008] Subsystems 🐞 Fixed [5250] 🐞 Invalid [12559] Missing Backports [85] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes 💬 Send us feedback

KASAN: use-after-free Read in inet_create

Status: closed as dup on 2018/04/09 01:05
Subsystems: net
[Documentation on labels]
Reported-by: syzbot+db99bd25cd19d3347dbf8c05d7dd3ca9bab2d7ad@syzkaller.appspotmail.com
First crash: 2336d, last: 2170d
Duplicate of
Title Repro Cause bisect Fix bisect Count Last Reported
KASAN: use-after-free Read in rds_cong_queue_updates rds C 18168 2129d 2261d
Similar bugs (2)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: use-after-free Read in inet_create (2) net 2 2100d 2117d 0/26 auto-closed as invalid on 2019/02/22 10:22
linux-4.14 KASAN: use-after-free Read in inet_create 1 1658d 1658d 0/1 auto-closed as invalid on 2020/02/15 10:53

Sample crash report:
gfs2: invalid mount option: v
gfs2: can't parse mount arguments
bond0 (unregistering): Released all slaves
==================================================================
BUG: KASAN: use-after-free in inet_create+0xf3d/0x10a0 net/ipv4/af_inet.c:339
Read of size 4 at addr ffff88018f6547c4 by task kworker/u4:5/6401

CPU: 1 PID: 6401 Comm: kworker/u4:5 Not tainted 4.16.0+ #14
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: krdsd rds_connect_worker
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1b9/0x294 lib/dump_stack.c:113
 print_address_description+0x6c/0x20b mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report.cold.7+0xac/0x2f5 mm/kasan/report.c:412
 __asan_report_load4_noabort+0x14/0x20 mm/kasan/report.c:432
 inet_create+0xf3d/0x10a0 net/ipv4/af_inet.c:339
 __sock_create+0x526/0x920 net/socket.c:1285
 sock_create_kern+0x3b/0x50 net/socket.c:1331
 rds_tcp_conn_path_connect+0x2a3/0x960 net/rds/tcp_connect.c:108
 rds_connect_worker+0x190/0x260 net/rds/threads.c:175
 process_one_work+0xc1e/0x1b50 kernel/workqueue.c:2145
 worker_thread+0x1cc/0x1440 kernel/workqueue.c:2279
 kthread+0x345/0x410 kernel/kthread.c:238
 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:411

Allocated by task 4491:
 save_stack+0x43/0xd0 mm/kasan/kasan.c:448
 set_track mm/kasan/kasan.c:460 [inline]
 kasan_kmalloc+0xc4/0xe0 mm/kasan/kasan.c:553
 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:490
 kmem_cache_alloc+0x12e/0x760 mm/slab.c:3554
 kmem_cache_zalloc include/linux/slab.h:691 [inline]
 net_alloc net/core/net_namespace.c:383 [inline]
 copy_net_ns+0x159/0x4c0 net/core/net_namespace.c:423
 create_new_namespaces+0x69d/0x8f0 kernel/nsproxy.c:107
 unshare_nsproxy_namespaces+0xc3/0x1f0 kernel/nsproxy.c:206
 ksys_unshare+0x708/0xfb0 kernel/fork.c:2409
 SYSC_unshare kernel/fork.c:2477 [inline]
 SyS_unshare+0x15/0x20 kernel/fork.c:2475
 do_syscall_64+0x29e/0x9d0 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x42/0xb7

Freed by task 6401:
 save_stack+0x43/0xd0 mm/kasan/kasan.c:448
 set_track mm/kasan/kasan.c:460 [inline]
 __kasan_slab_free+0x11a/0x170 mm/kasan/kasan.c:521
 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
 __cache_free mm/slab.c:3498 [inline]
 kmem_cache_free+0x86/0x2d0 mm/slab.c:3756
 net_free net/core/net_namespace.c:399 [inline]
 net_drop_ns.part.14+0x11a/0x130 net/core/net_namespace.c:406
 net_drop_ns net/core/net_namespace.c:405 [inline]
 cleanup_net+0x6a1/0xb20 net/core/net_namespace.c:541
 process_one_work+0xc1e/0x1b50 kernel/workqueue.c:2145
 worker_thread+0x1cc/0x1440 kernel/workqueue.c:2279
 kthread+0x345/0x410 kernel/kthread.c:238
 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:411

The buggy address belongs to the object at ffff88018f6540c0
 which belongs to the cache net_namespace of size 8768
The buggy address is located 1796 bytes inside of
 8768-byte region [ffff88018f6540c0, ffff88018f656300)
The buggy address belongs to the page:
page:ffffea00063d9500 count:1 mapcount:0 mapping:ffff88018f6540c0 index:0x0 compound_mapcount: 0
flags: 0x2fffc0000008100(slab|head)
raw: 02fffc0000008100 ffff88018f6540c0 0000000000000000 0000000100000001
raw: ffffea00063d9320 ffffea0006388c20 ffff8801d9fd5e40 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88018f654680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88018f654700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88018f654780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                           ^
 ffff88018f654800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88018f654880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (445):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2018/04/10 05:18 upstream fd40ffc72e2f b9f65507 .config console log report ci-upstream-kasan-gce-root
2018/04/05 06:54 upstream 3e968c9f1401 676bd07e .config console log report ci-upstream-kasan-gce-root
2018/04/03 03:12 upstream 86bbbebac193 676bd07e .config console log report ci-upstream-kasan-gce-root
2018/04/02 07:49 upstream 0adb32858b0b dc889257 .config console log report ci-upstream-kasan-gce-root
2018/03/30 16:03 upstream c2a9838452a4 d47f0ed6 .config console log report ci-upstream-kasan-gce-root
2018/03/30 06:23 upstream c2a9838452a4 d47f0ed6 .config console log report ci-upstream-kasan-gce-root
2018/03/30 01:38 upstream 0b412605ef5f d47f0ed6 .config console log report ci-upstream-kasan-gce-root
2018/03/29 14:09 upstream 0b412605ef5f d47f0ed6 .config console log report ci-upstream-kasan-gce-root
2018/03/29 08:24 upstream a2601d78b77a bf5e585c .config console log report ci-upstream-kasan-gce-root
2018/03/28 23:19 upstream 3eb2ce825ea1 bf5e585c .config console log report ci-upstream-kasan-gce
2018/03/28 05:17 upstream 3eb2ce825ea1 bf5e585c .config console log report ci-upstream-kasan-gce
2018/03/27 20:42 upstream 3eb2ce825ea1 bf5e585c .config console log report ci-upstream-kasan-gce-root
2018/03/27 15:20 upstream 3eb2ce825ea1 bf5e585c .config console log report ci-upstream-kasan-gce-root
2018/03/25 17:32 upstream bcfc1f455466 e033c1f1 .config console log report ci-upstream-kasan-gce
2018/03/25 10:05 upstream bcfc1f455466 2e9d9054 .config console log report ci-upstream-kasan-gce
2018/03/17 16:28 upstream 8f5fd927c3a7 08dacaa0 .config console log report ci-upstream-kasan-gce
2018/03/16 01:59 upstream e2c15aff5f35 08dacaa0 .config console log report ci-upstream-kasan-gce
2018/03/14 03:56 upstream fc6eabbbf8ef 08dacaa0 .config console log report ci-upstream-kasan-gce
2018/03/14 01:20 upstream fc6eabbbf8ef 08dacaa0 .config console log report ci-upstream-kasan-gce
2018/03/13 23:59 upstream fc6eabbbf8ef 08dacaa0 .config console log report ci-upstream-kasan-gce
2018/03/12 22:20 upstream 0c8efd610b58 f505ca4b .config console log report ci-upstream-kasan-gce
2018/03/12 19:05 upstream 0c8efd610b58 f505ca4b .config console log report ci-upstream-kasan-gce
2018/03/10 07:56 upstream cdb06e9d8f52 36d1c454 .config console log report ci-upstream-kasan-gce
2018/03/09 23:53 upstream 719ea86151f3 36d1c454 .config console log report ci-upstream-kasan-gce
2018/03/08 18:02 upstream 1b88accf6a65 acd0caa5 .config console log report ci-upstream-kasan-gce
2018/03/07 07:50 upstream ce380619fab9 c8a18476 .config console log report ci-upstream-kasan-gce
2018/02/08 14:00 upstream 581e400ff935 9fb5ec43 .config console log report ci-upstream-kasan-gce
2018/02/07 10:25 upstream cbd7b8a76b79 66c15deb .config console log report ci-upstream-kasan-gce
2018/02/05 05:24 upstream 35277995e179 a1bc9d40 .config console log report ci-upstream-kasan-gce
2018/02/04 18:26 upstream 617aebe6a97e a1bc9d40 .config console log report ci-upstream-kasan-gce
2018/02/04 16:07 upstream 617aebe6a97e a1bc9d40 .config console log report ci-upstream-kasan-gce
2018/02/03 13:14 upstream b89e32ccd1be 632a8c2c .config console log report ci-upstream-kasan-gce
2018/02/02 22:15 upstream 03f51d4efa22 632a8c2c .config console log report ci-upstream-kasan-gce
2018/02/02 19:41 upstream 03f51d4efa22 632a8c2c .config console log report ci-upstream-kasan-gce
2018/05/24 07:26 upstream bee797529d7c f48c20b8 .config console log report ci-upstream-kasan-gce-386
2018/04/09 16:58 upstream f2d285669aae f13fb445 .config console log report ci-upstream-kasan-gce-386
2018/03/28 15:33 upstream 3eb2ce825ea1 bf5e585c .config console log report ci-upstream-kasan-gce-386
2018/03/28 01:58 upstream 3eb2ce825ea1 bf5e585c .config console log report ci-upstream-kasan-gce-386
2018/03/27 23:21 upstream 3eb2ce825ea1 bf5e585c .config console log report ci-upstream-kasan-gce-386
2018/03/27 17:55 upstream 3eb2ce825ea1 bf5e585c .config console log report ci-upstream-kasan-gce-386
2018/03/23 20:11 upstream f36b7534b833 2e9d9054 .config console log report ci-upstream-kasan-gce-386
2018/03/23 05:28 upstream c4f4d2f91772 2e9d9054 .config console log report ci-upstream-kasan-gce-386
2018/03/21 23:28 upstream 3215b9d57a2c f63eeee9 .config console log report ci-upstream-kasan-gce-386
2018/03/18 17:14 upstream 8f5fd927c3a7 08dacaa0 .config console log report ci-upstream-kasan-gce-386
2018/03/18 02:03 upstream 8f5fd927c3a7 08dacaa0 .config console log report ci-upstream-kasan-gce-386
2018/03/16 22:00 upstream df09348f78dc 08dacaa0 .config console log report ci-upstream-kasan-gce-386
2018/03/14 08:39 upstream fc6eabbbf8ef 08dacaa0 .config console log report ci-upstream-kasan-gce-386
2018/03/07 18:38 upstream 86f84779d8e9 a5e76540 .config console log report ci-upstream-kasan-gce-386
2018/02/08 07:52 upstream 581e400ff935 9fb5ec43 .config console log report ci-upstream-kasan-gce-386
2018/02/04 05:24 upstream 23c35f48f5fb 632a8c2c .config console log report ci-upstream-kasan-gce-386
2018/03/21 07:20 net-next-old 0466080c751e 113a43ff .config console log report ci-upstream-net-kasan-gce
2018/02/07 15:26 net-next-old 617aebe6a97e 9fb5ec43 .config console log report ci-upstream-net-kasan-gce
2018/01/22 11:36 linux-next 761914dd2975 aeb24072 .config console log report ci-upstream-next-kasan-gce
* Struck through repros no longer work on HEAD.