KASAN: use-after-free Read in ip_tunnel

Title	Replies (including bot)	Last reply
Reminder: 99 open syzbot bugs in net subsystem	14 (14)	2019/07/31 15:13
Reminder: 94 open syzbot bugs in net subsystem	1 (1)	2019/06/25 05:48
KASAN: use-after-free Read in ip_tunnel_lookup	0 (1)	2019/01/14 17:27

Kernel	Title	Repro	Cause bisect	Fix bisect	Count	Last	Reported	Patched	Status
linux-4.14	KASAN: use-after-free Read in ip_tunnel_lookup				1	1478d	1478d	0/1	auto-closed as invalid on 2020/07/27 23:03

linux-4.14

KASAN: use-after-free Read in ip_tunnel_lookup

1478d

0/1

auto-closed as invalid on 2020/07/27 23:03

bridge0: received packet on bridge_slave_0 with own address as source address (addr:aa:aa:aa:aa:aa:1b, vlan:0) bridge0: received packet on bridge_slave_0 with own address as source address (addr:aa:aa:aa:aa:aa:1b, vlan:0) ================================================================== BUG: KASAN: use-after-free in ip_tunnel_lookup+0xc89/0xe00 net/ipv4/ip_tunnel.c:142 Read of size 4 at addr ffff88806a323344 by task ksoftirqd/1/16 CPU: 1 PID: 16 Comm: ksoftirqd/1 Not tainted 5.1.0-rc2+ #147 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x172/0x1f0 lib/dump_stack.c:113 print_address_description.cold+0x7c/0x20d mm/kasan/report.c:187 kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317 __asan_report_load4_noabort+0x14/0x20 mm/kasan/generic_report.c:131 ip_tunnel_lookup+0xc89/0xe00 net/ipv4/ip_tunnel.c:142 __ipgre_rcv+0x1b9/0xaa0 net/ipv4/ip_gre.c:339 ipgre_rcv net/ipv4/ip_gre.c:384 [inline] gre_rcv+0x3e5/0x19f0 net/ipv4/ip_gre.c:420 gre_rcv+0x253/0x4a0 net/ipv4/gre_demux.c:160 ip_protocol_deliver_rcu+0x60/0x8f0 net/ipv4/ip_input.c:208 ip_local_deliver_finish+0x23b/0x390 net/ipv4/ip_input.c:234 NF_HOOK include/linux/netfilter.h:289 [inline] NF_HOOK include/linux/netfilter.h:283 [inline] ip_local_deliver+0x1e9/0x520 net/ipv4/ip_input.c:255 dst_input include/net/dst.h:450 [inline] ip_rcv_finish+0x1e1/0x300 net/ipv4/ip_input.c:414 ip_sabotage_in net/bridge/br_netfilter_hooks.c:837 [inline] ip_sabotage_in+0x214/0x280 net/bridge/br_netfilter_hooks.c:828 nf_hook_entry_hookfn include/linux/netfilter.h:119 [inline] nf_hook_slow+0xbf/0x1f0 net/netfilter/core.c:511 nf_hook include/linux/netfilter.h:244 [inline] NF_HOOK include/linux/netfilter.h:287 [inline] ip_rcv+0x237/0x3f0 net/ipv4/ip_input.c:524 __netif_receive_skb_one_core+0x115/0x1a0 net/core/dev.c:4973 __netif_receive_skb+0x2c/0x1c0 net/core/dev.c:5085 netif_receive_skb_internal+0x117/0x660 net/core/dev.c:5188 netif_receive_skb+0x6e/0x5a0 net/core/dev.c:5263 br_netif_receive_skb+0x107/0x200 net/bridge/br_input.c:34 NF_HOOK include/linux/netfilter.h:289 [inline] NF_HOOK include/linux/netfilter.h:283 [inline] br_pass_frame_up+0x354/0x730 net/bridge/br_input.c:69 br_handle_frame_finish+0x6e0/0x14c0 net/bridge/br_input.c:175 br_nf_hook_thresh+0x2ec/0x380 net/bridge/br_netfilter_hooks.c:1006 br_nf_pre_routing_finish+0x8e2/0x1750 net/bridge/br_netfilter_hooks.c:410 NF_HOOK include/linux/netfilter.h:289 [inline] NF_HOOK include/linux/netfilter.h:283 [inline] br_nf_pre_routing+0x895/0x14b0 net/bridge/br_netfilter_hooks.c:507 nf_hook_entry_hookfn include/linux/netfilter.h:119 [inline] nf_hook_slow+0xbf/0x1f0 net/netfilter/core.c:511 nf_hook include/linux/netfilter.h:244 [inline] NF_HOOK include/linux/netfilter.h:287 [inline] br_handle_frame+0x95b/0x1450 net/bridge/br_input.c:305 __netif_receive_skb_core+0xa96/0x3040 net/core/dev.c:4902 __netif_receive_skb_one_core+0xa8/0x1a0 net/core/dev.c:4971 __netif_receive_skb+0x2c/0x1c0 net/core/dev.c:5085 process_backlog+0x206/0x750 net/core/dev.c:5925 napi_poll net/core/dev.c:6348 [inline] net_rx_action+0x4fa/0x1070 net/core/dev.c:6414 __do_softirq+0x266/0x95a kernel/softirq.c:293 run_ksoftirqd kernel/softirq.c:655 [inline] run_ksoftirqd+0x8e/0x110 kernel/softirq.c:647 smpboot_thread_fn+0x6ab/0xa10 kernel/smpboot.c:164 kthread+0x357/0x430 kernel/kthread.c:253 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352 Allocated by task 7789: save_stack+0x45/0xd0 mm/kasan/common.c:75 set_track mm/kasan/common.c:87 [inline] __kasan_kmalloc mm/kasan/common.c:497 [inline] __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:470 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:511 __do_kmalloc_node mm/slab.c:3686 [inline] __kmalloc_node+0x4e/0x70 mm/slab.c:3693 kmalloc_node include/linux/slab.h:588 [inline] kvmalloc_node+0x68/0x100 mm/util.c:430 kvmalloc include/linux/mm.h:605 [inline] kvzalloc include/linux/mm.h:613 [inline] alloc_netdev_mqs+0x98/0xd30 net/core/dev.c:9124 __ip_tunnel_create+0x1d5/0x530 net/ipv4/ip_tunnel.c:269 ip_tunnel_init_net+0x375/0x9e0 net/ipv4/ip_tunnel.c:1073 ipgre_tap_init_net+0x2a/0x30 net/ipv4/ip_gre.c:1572 ops_init+0xb6/0x410 net/core/net_namespace.c:129 setup_net+0x2d3/0x740 net/core/net_namespace.c:315 copy_net_ns+0x1df/0x340 net/core/net_namespace.c:438 create_new_namespaces+0x400/0x7b0 kernel/nsproxy.c:107 unshare_nsproxy_namespaces+0xc2/0x200 kernel/nsproxy.c:206 ksys_unshare+0x440/0x980 kernel/fork.c:2549 __do_sys_unshare kernel/fork.c:2617 [inline] __se_sys_unshare kernel/fork.c:2615 [inline] __x64_sys_unshare+0x31/0x40 kernel/fork.c:2615 do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 30429: save_stack+0x45/0xd0 mm/kasan/common.c:75 set_track mm/kasan/common.c:87 [inline] __kasan_slab_free+0x102/0x150 mm/kasan/common.c:459 kasan_slab_free+0xe/0x10 mm/kasan/common.c:467 __cache_free mm/slab.c:3498 [inline] kfree+0xcf/0x230 mm/slab.c:3821 kvfree+0x61/0x70 mm/util.c:459 netdev_freemem+0x4c/0x60 net/core/dev.c:9078 netdev_release+0x86/0xb0 net/core/net-sysfs.c:1637 device_release+0x7d/0x210 drivers/base/core.c:1064 kobject_cleanup lib/kobject.c:662 [inline] kobject_release lib/kobject.c:691 [inline] kref_put include/linux/kref.h:67 [inline] kobject_put.cold+0x28f/0x2ec lib/kobject.c:708 netdev_run_todo+0x5cc/0x7d0 net/core/dev.c:8983 rtnl_unlock+0xe/0x10 net/core/rtnetlink.c:116 ip_tunnel_delete_nets+0x423/0x5f0 net/ipv4/ip_tunnel.c:1127 ipgre_tap_exit_batch_net+0x23/0x30 net/ipv4/ip_gre.c:1577 ops_exit_list.isra.0+0x105/0x160 net/core/net_namespace.c:156 cleanup_net+0x3fb/0x960 net/core/net_namespace.c:552 process_one_work+0x98e/0x1790 kernel/workqueue.c:2269 worker_thread+0x98/0xe40 kernel/workqueue.c:2415 kthread+0x357/0x430 kernel/kthread.c:253 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352 The buggy address belongs to the object at ffff88806a322840 which belongs to the cache kmalloc-4k of size 4096 The buggy address is located 2820 bytes inside of 4096-byte region [ffff88806a322840, ffff88806a323840) The buggy address belongs to the page: page:ffffea0001a8c880 count:1 mapcount:0 mapping:ffff88812c3f0dc0 index:0x0 compound_mapcount: 0 flags: 0x1fffc0000010200(slab|head) raw: 01fffc0000010200 ffffea0001a8b788 ffffea0001a8cb08 ffff88812c3f0dc0 raw: 0000000000000000 ffff88806a322840 0000000100000001 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88806a323200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88806a323280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff88806a323300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88806a323380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88806a323400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================

Crashes (4):
Time	Kernel	Commit	Syzkaller	Config	Log	Report	Manager
2019/03/31 15:46	net-old	288ac524cf70	0c624d4d	.config	console log	report	ci-upstream-net-this-kasan-gce
2019/03/17 10:40	net-old	517ccc2aa50d	bab43553	.config	console log	report	ci-upstream-net-this-kasan-gce
2018/12/21 17:21	net-old	f0c928d878e7	588075e6	.config	console log	report	ci-upstream-net-this-kasan-gce
2018/12/21 11:07	net-next-old	962ad710f7d6	2b497001	.config	console log	report	ci-upstream-net-kasan-gce

Crashes (4):

Assets (help?)