syzbot


KASAN: use-after-free Read in batadv_iv_ogm_queue_add

Status: upstream: reported syz repro on 2019/10/14 17:58
Reported-by: syzbot+e7bfe3c4b6b706caa062@syzkaller.appspotmail.com
First crash: 1627d, last: 1470d
Fix bisection: failed (error log, bisect log)
  
Similar bugs (1)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: use-after-free Read in batadv_iv_ogm_queue_add batman 3 1609d 1640d 13/26 fixed on 2019/11/23 02:56
Last patch testing requests (4)
Created Duration User Patch Repo Result
2022/12/08 06:31 10m retest repro linux-4.14.y report log
2022/12/08 03:31 13m retest repro linux-4.14.y report log
2022/08/27 21:27 15m retest repro linux-4.14.y report log
2022/08/27 20:27 15m retest repro linux-4.14.y report log

Sample crash report:
bond0 (unregistering): Released all slaves
bond0: Releasing backup interface bond_slave_1
batman_adv: batadv0: Interface deactivated: batadv_slave_0
batman_adv: batadv0: Removing interface: batadv_slave_0
==================================================================
BUG: KASAN: use-after-free in memcpy include/linux/string.h:347 [inline]
BUG: KASAN: use-after-free in batadv_iv_ogm_aggregate_new net/batman-adv/bat_iv_ogm.c:717 [inline]
BUG: KASAN: use-after-free in batadv_iv_ogm_queue_add+0x2dc/0xe00 net/batman-adv/bat_iv_ogm.c:813
Read of size 132 at addr ffff8880a99f8e00 by task kworker/u4:3/58

CPU: 0 PID: 58 Comm: kworker/u4:3 Not tainted 4.14.173-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: bat_events batadv_iv_send_outstanding_bat_ogm_packet
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x13e/0x194 lib/dump_stack.c:58
 print_address_description.cold+0x7c/0x1e2 mm/kasan/report.c:252
 kasan_report_error mm/kasan/report.c:351 [inline]
 kasan_report mm/kasan/report.c:409 [inline]
 kasan_report.cold+0xa9/0x2ae mm/kasan/report.c:393
 memcpy+0x20/0x50 mm/kasan/kasan.c:302
 memcpy include/linux/string.h:347 [inline]
 batadv_iv_ogm_aggregate_new net/batman-adv/bat_iv_ogm.c:717 [inline]
 batadv_iv_ogm_queue_add+0x2dc/0xe00 net/batman-adv/bat_iv_ogm.c:813
 batadv_iv_ogm_schedule+0xa38/0xdf0 net/batman-adv/bat_iv_ogm.c:982
 batadv_iv_send_outstanding_bat_ogm_packet+0x4ad/0x6a0 net/batman-adv/bat_iv_ogm.c:1809
 process_one_work+0x813/0x1540 kernel/workqueue.c:2114
 worker_thread+0x5d1/0x1070 kernel/workqueue.c:2248
 kthread+0x30d/0x420 kernel/kthread.c:232
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404

Allocated by task 58:
 save_stack+0x32/0xa0 mm/kasan/kasan.c:447
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_kmalloc mm/kasan/kasan.c:551 [inline]
 kasan_kmalloc+0xbf/0xe0 mm/kasan/kasan.c:529
 __do_kmalloc mm/slab.c:3720 [inline]
 __kmalloc+0x15b/0x7c0 mm/slab.c:3729
 kmalloc include/linux/slab.h:493 [inline]
 batadv_tvlv_realloc_packet_buff net/batman-adv/tvlv.c:288 [inline]
 batadv_tvlv_container_ogm_append+0x12a/0x490 net/batman-adv/tvlv.c:329
 batadv_iv_ogm_schedule+0xb78/0xdf0 net/batman-adv/bat_iv_ogm.c:945
 batadv_iv_send_outstanding_bat_ogm_packet+0x4ad/0x6a0 net/batman-adv/bat_iv_ogm.c:1809
 process_one_work+0x813/0x1540 kernel/workqueue.c:2114
 worker_thread+0x5d1/0x1070 kernel/workqueue.c:2248
 kthread+0x30d/0x420 kernel/kthread.c:232
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404

Freed by task 7995:
 save_stack+0x32/0xa0 mm/kasan/kasan.c:447
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_slab_free+0x75/0xc0 mm/kasan/kasan.c:524
 __cache_free mm/slab.c:3496 [inline]
 kfree+0xcb/0x260 mm/slab.c:3815
 batadv_iv_ogm_iface_disable+0x34/0x70 net/batman-adv/bat_iv_ogm.c:393
 batadv_hardif_disable_interface.cold+0x61e/0x867 net/batman-adv/hard-interface.c:836
 batadv_softif_destroy_netlink+0xa3/0x140 net/batman-adv/soft-interface.c:1134
 rtnl_delete_link+0xc0/0x110 net/core/rtnetlink.c:2374
 rtnl_dellink+0x1d9/0x600 net/core/rtnetlink.c:2411
 rtnetlink_rcv_msg+0x3be/0xb10 net/core/rtnetlink.c:4315
 netlink_rcv_skb+0x127/0x370 net/netlink/af_netlink.c:2433
 netlink_unicast_kernel net/netlink/af_netlink.c:1287 [inline]
 netlink_unicast+0x437/0x620 net/netlink/af_netlink.c:1313
 netlink_sendmsg+0x733/0xbe0 net/netlink/af_netlink.c:1878
 sock_sendmsg_nosec net/socket.c:646 [inline]
 sock_sendmsg+0xc5/0x100 net/socket.c:656
 ___sys_sendmsg+0x70a/0x840 net/socket.c:2062
 __sys_sendmsg+0xa3/0x120 net/socket.c:2096
 SYSC_sendmsg net/socket.c:2107 [inline]
 SyS_sendmsg+0x27/0x40 net/socket.c:2103
 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x42/0xb7

The buggy address belongs to the object at ffff8880a99f8e00
 which belongs to the cache kmalloc-192 of size 192
The buggy address is located 0 bytes inside of
 192-byte region [ffff8880a99f8e00, ffff8880a99f8ec0)
The buggy address belongs to the page:
page:ffffea0002a67e00 count:1 mapcount:0 mapping:ffff8880a99f8000 index:0x0
flags: 0xfffe0000000100(slab)
raw: 00fffe0000000100 ffff8880a99f8000 0000000000000000 0000000100000010
raw: ffffea00022501e0 ffff88812fe54148 ffff88812fe56040 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8880a99f8d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8880a99f8d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8880a99f8e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                   ^
 ffff8880a99f8e80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff8880a99f8f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (63):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2020/03/15 18:10 linux-4.14.y 12cd844a39ed 749688d2 .config console log report syz ci2-linux-4-14
2020/02/21 05:26 linux-4.14.y 98db2bf27b9e bd2a74a3 .config console log report syz ci2-linux-4-14
2020/03/19 16:02 linux-4.14.y 12cd844a39ed 2c31c529 .config console log report ci2-linux-4-14
2020/03/17 21:39 linux-4.14.y 12cd844a39ed 97bc55ce .config console log report ci2-linux-4-14
2020/03/17 06:25 linux-4.14.y 12cd844a39ed 749688d2 .config console log report ci2-linux-4-14
2020/03/16 06:55 linux-4.14.y 12cd844a39ed 749688d2 .config console log report ci2-linux-4-14
2020/03/15 07:50 linux-4.14.y 12cd844a39ed 749688d2 .config console log report ci2-linux-4-14
2020/03/13 07:56 linux-4.14.y 12cd844a39ed fd69032d .config console log report ci2-linux-4-14
2020/03/11 12:21 linux-4.14.y 78d697fc93f9 e103bc9e .config console log report ci2-linux-4-14
2020/03/05 23:49 linux-4.14.y 78d697fc93f9 b655d91b .config console log report ci2-linux-4-14
2020/03/03 04:02 linux-4.14.y 78d697fc93f9 4a4e0509 .config console log report ci2-linux-4-14
2020/02/28 18:34 linux-4.14.y 78d697fc93f9 c88c7b75 .config console log report ci2-linux-4-14
2020/02/28 01:34 linux-4.14.y 98db2bf27b9e c88c7b75 .config console log report ci2-linux-4-14
2020/02/27 21:17 linux-4.14.y 98db2bf27b9e c88c7b75 .config console log report ci2-linux-4-14
2020/02/26 09:58 linux-4.14.y 98db2bf27b9e 4f588111 .config console log report ci2-linux-4-14
2020/02/16 18:43 linux-4.14.y 98db2bf27b9e cf914200 .config console log report ci2-linux-4-14
2020/02/15 21:20 linux-4.14.y 98db2bf27b9e 5d7b90f1 .config console log report ci2-linux-4-14
2020/02/14 01:41 linux-4.14.y e0f8b8a65a47 5d7b90f1 .config console log report ci2-linux-4-14
2020/02/13 20:17 linux-4.14.y e0f8b8a65a47 e6247653 .config console log report ci2-linux-4-14
2020/02/13 16:24 linux-4.14.y e0f8b8a65a47 e6247653 .config console log report ci2-linux-4-14
2020/02/13 06:22 linux-4.14.y e0f8b8a65a47 84f4fc8a .config console log report ci2-linux-4-14
2020/02/12 22:00 linux-4.14.y e0f8b8a65a47 84f4fc8a .config console log report ci2-linux-4-14
2020/02/12 15:04 linux-4.14.y e0f8b8a65a47 a75b198c .config console log report ci2-linux-4-14
2020/02/11 21:58 linux-4.14.y e0f8b8a65a47 4d1ab643 .config console log report ci2-linux-4-14
2020/02/11 19:59 linux-4.14.y e0f8b8a65a47 4d1ab643 .config console log report ci2-linux-4-14
2020/02/11 18:51 linux-4.14.y e0f8b8a65a47 4d1ab643 .config console log report ci2-linux-4-14
2020/02/11 16:11 linux-4.14.y e0f8b8a65a47 084454ae .config console log report ci2-linux-4-14
2020/02/10 23:57 linux-4.14.y e0f8b8a65a47 d9e55b05 .config console log report ci2-linux-4-14
2020/02/10 05:28 linux-4.14.y e0f8b8a65a47 35f5e45e .config console log report ci2-linux-4-14
2020/02/09 02:32 linux-4.14.y e0f8b8a65a47 06150bf1 .config console log report ci2-linux-4-14
2020/02/04 17:20 linux-4.14.y 9fa690a2a016 93e5e335 .config console log report ci2-linux-4-14
2020/02/03 14:41 linux-4.14.y 9fa690a2a016 93e5e335 .config console log report ci2-linux-4-14
2020/02/02 06:57 linux-4.14.y 9fa690a2a016 2274ad39 .config console log report ci2-linux-4-14
2020/02/02 06:04 linux-4.14.y 9fa690a2a016 2274ad39 .config console log report ci2-linux-4-14
2020/01/31 20:01 linux-4.14.y 9fa690a2a016 0eb59c27 .config console log report ci2-linux-4-14
2020/01/30 21:39 linux-4.14.y 9fa690a2a016 5ed23f9a .config console log report ci2-linux-4-14
2020/01/30 04:55 linux-4.14.y 9fa690a2a016 5ed23f9a .config console log report ci2-linux-4-14
2020/01/30 03:12 linux-4.14.y 9fa690a2a016 5ed23f9a .config console log report ci2-linux-4-14
2020/01/28 08:41 linux-4.14.y 9a95f25269bd 56cd6c9b .config console log report ci2-linux-4-14
2020/01/27 14:25 linux-4.14.y 9a95f25269bd dd56146d .config console log report ci2-linux-4-14
2020/01/27 05:12 linux-4.14.y 8bac50406cca dd56146d .config console log report ci2-linux-4-14
2020/01/26 03:58 linux-4.14.y 8bac50406cca f4e7270e .config console log report ci2-linux-4-14
2020/01/24 07:03 linux-4.14.y 8bac50406cca 2e95ab33 .config console log report ci2-linux-4-14
2020/01/22 10:26 linux-4.14.y c1141b3aab36 8eda0b95 .config console log report ci2-linux-4-14
2020/01/22 06:35 linux-4.14.y c1141b3aab36 8eda0b95 .config console log report ci2-linux-4-14
2020/01/22 01:12 linux-4.14.y c1141b3aab36 8eda0b95 .config console log report ci2-linux-4-14
2020/01/21 11:09 linux-4.14.y c1141b3aab36 8eda0b95 .config console log report ci2-linux-4-14
2020/01/21 03:12 linux-4.14.y c1141b3aab36 8eda0b95 .config console log report ci2-linux-4-14
2020/01/20 13:05 linux-4.14.y c1141b3aab36 c40da18c .config console log report ci2-linux-4-14
2020/01/20 12:36 linux-4.14.y c1141b3aab36 c40da18c .config console log report ci2-linux-4-14
2020/01/20 08:56 linux-4.14.y c1141b3aab36 0342f8c7 .config console log report ci2-linux-4-14
2020/01/20 07:20 linux-4.14.y c1141b3aab36 0342f8c7 .config console log report ci2-linux-4-14
2020/01/19 14:41 linux-4.14.y c1141b3aab36 bc8bc756 .config console log report ci2-linux-4-14
2020/01/18 00:42 linux-4.14.y c1141b3aab36 3de7aabb .config console log report ci2-linux-4-14
2020/01/05 02:48 linux-4.14.y 84f5ad468100 68256974 .config console log report ci2-linux-4-14
2019/12/21 20:38 linux-4.14.y e1f7d50ae3a3 bc586918 .config console log report ci2-linux-4-14
2019/11/20 21:10 linux-4.14.y 775d01b65b5d 432c7650 .config console log report ci2-linux-4-14
2019/11/11 13:11 linux-4.14.y c9fda4f22428 dc438b91 .config console log report ci2-linux-4-14
2019/10/14 16:58 linux-4.14.y e132c8d7b58d a6aef847 .config console log report ci2-linux-4-14
* Struck through repros no longer work on HEAD.