syzbot


KASAN: use-after-free Read in ip_tunnel_lookup

Status: auto-closed as invalid on 2019/09/27 15:52
Reported-by: syzbot+4a0034797afb7e908ab4@syzkaller.appspotmail.com
First crash: 1498d, last: 1398d
similar bugs (1):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.14 KASAN: use-after-free Read in ip_tunnel_lookup 1 1033d 1033d 0/1 auto-closed as invalid on 2020/07/27 23:03

Sample crash report:
bridge0: received packet on bridge_slave_0 with own address as source address (addr:aa:aa:aa:aa:aa:1b, vlan:0)
bridge0: received packet on bridge_slave_0 with own address as source address (addr:aa:aa:aa:aa:aa:1b, vlan:0)
==================================================================
BUG: KASAN: use-after-free in ip_tunnel_lookup+0xc89/0xe00 net/ipv4/ip_tunnel.c:142
Read of size 4 at addr ffff88806a323344 by task ksoftirqd/1/16

CPU: 1 PID: 16 Comm: ksoftirqd/1 Not tainted 5.1.0-rc2+ #147
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x172/0x1f0 lib/dump_stack.c:113
 print_address_description.cold+0x7c/0x20d mm/kasan/report.c:187
 kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317
 __asan_report_load4_noabort+0x14/0x20 mm/kasan/generic_report.c:131
 ip_tunnel_lookup+0xc89/0xe00 net/ipv4/ip_tunnel.c:142
 __ipgre_rcv+0x1b9/0xaa0 net/ipv4/ip_gre.c:339
 ipgre_rcv net/ipv4/ip_gre.c:384 [inline]
 gre_rcv+0x3e5/0x19f0 net/ipv4/ip_gre.c:420
 gre_rcv+0x253/0x4a0 net/ipv4/gre_demux.c:160
 ip_protocol_deliver_rcu+0x60/0x8f0 net/ipv4/ip_input.c:208
 ip_local_deliver_finish+0x23b/0x390 net/ipv4/ip_input.c:234
 NF_HOOK include/linux/netfilter.h:289 [inline]
 NF_HOOK include/linux/netfilter.h:283 [inline]
 ip_local_deliver+0x1e9/0x520 net/ipv4/ip_input.c:255
 dst_input include/net/dst.h:450 [inline]
 ip_rcv_finish+0x1e1/0x300 net/ipv4/ip_input.c:414
 ip_sabotage_in net/bridge/br_netfilter_hooks.c:837 [inline]
 ip_sabotage_in+0x214/0x280 net/bridge/br_netfilter_hooks.c:828
 nf_hook_entry_hookfn include/linux/netfilter.h:119 [inline]
 nf_hook_slow+0xbf/0x1f0 net/netfilter/core.c:511
 nf_hook include/linux/netfilter.h:244 [inline]
 NF_HOOK include/linux/netfilter.h:287 [inline]
 ip_rcv+0x237/0x3f0 net/ipv4/ip_input.c:524
 __netif_receive_skb_one_core+0x115/0x1a0 net/core/dev.c:4973
 __netif_receive_skb+0x2c/0x1c0 net/core/dev.c:5085
 netif_receive_skb_internal+0x117/0x660 net/core/dev.c:5188
 netif_receive_skb+0x6e/0x5a0 net/core/dev.c:5263
 br_netif_receive_skb+0x107/0x200 net/bridge/br_input.c:34
 NF_HOOK include/linux/netfilter.h:289 [inline]
 NF_HOOK include/linux/netfilter.h:283 [inline]
 br_pass_frame_up+0x354/0x730 net/bridge/br_input.c:69
 br_handle_frame_finish+0x6e0/0x14c0 net/bridge/br_input.c:175
 br_nf_hook_thresh+0x2ec/0x380 net/bridge/br_netfilter_hooks.c:1006
 br_nf_pre_routing_finish+0x8e2/0x1750 net/bridge/br_netfilter_hooks.c:410
 NF_HOOK include/linux/netfilter.h:289 [inline]
 NF_HOOK include/linux/netfilter.h:283 [inline]
 br_nf_pre_routing+0x895/0x14b0 net/bridge/br_netfilter_hooks.c:507
 nf_hook_entry_hookfn include/linux/netfilter.h:119 [inline]
 nf_hook_slow+0xbf/0x1f0 net/netfilter/core.c:511
 nf_hook include/linux/netfilter.h:244 [inline]
 NF_HOOK include/linux/netfilter.h:287 [inline]
 br_handle_frame+0x95b/0x1450 net/bridge/br_input.c:305
 __netif_receive_skb_core+0xa96/0x3040 net/core/dev.c:4902
 __netif_receive_skb_one_core+0xa8/0x1a0 net/core/dev.c:4971
 __netif_receive_skb+0x2c/0x1c0 net/core/dev.c:5085
 process_backlog+0x206/0x750 net/core/dev.c:5925
 napi_poll net/core/dev.c:6348 [inline]
 net_rx_action+0x4fa/0x1070 net/core/dev.c:6414
 __do_softirq+0x266/0x95a kernel/softirq.c:293
 run_ksoftirqd kernel/softirq.c:655 [inline]
 run_ksoftirqd+0x8e/0x110 kernel/softirq.c:647
 smpboot_thread_fn+0x6ab/0xa10 kernel/smpboot.c:164
 kthread+0x357/0x430 kernel/kthread.c:253
 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352

Allocated by task 7789:
 save_stack+0x45/0xd0 mm/kasan/common.c:75
 set_track mm/kasan/common.c:87 [inline]
 __kasan_kmalloc mm/kasan/common.c:497 [inline]
 __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:470
 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:511
 __do_kmalloc_node mm/slab.c:3686 [inline]
 __kmalloc_node+0x4e/0x70 mm/slab.c:3693
 kmalloc_node include/linux/slab.h:588 [inline]
 kvmalloc_node+0x68/0x100 mm/util.c:430
 kvmalloc include/linux/mm.h:605 [inline]
 kvzalloc include/linux/mm.h:613 [inline]
 alloc_netdev_mqs+0x98/0xd30 net/core/dev.c:9124
 __ip_tunnel_create+0x1d5/0x530 net/ipv4/ip_tunnel.c:269
 ip_tunnel_init_net+0x375/0x9e0 net/ipv4/ip_tunnel.c:1073
 ipgre_tap_init_net+0x2a/0x30 net/ipv4/ip_gre.c:1572
 ops_init+0xb6/0x410 net/core/net_namespace.c:129
 setup_net+0x2d3/0x740 net/core/net_namespace.c:315
 copy_net_ns+0x1df/0x340 net/core/net_namespace.c:438
 create_new_namespaces+0x400/0x7b0 kernel/nsproxy.c:107
 unshare_nsproxy_namespaces+0xc2/0x200 kernel/nsproxy.c:206
 ksys_unshare+0x440/0x980 kernel/fork.c:2549
 __do_sys_unshare kernel/fork.c:2617 [inline]
 __se_sys_unshare kernel/fork.c:2615 [inline]
 __x64_sys_unshare+0x31/0x40 kernel/fork.c:2615
 do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 30429:
 save_stack+0x45/0xd0 mm/kasan/common.c:75
 set_track mm/kasan/common.c:87 [inline]
 __kasan_slab_free+0x102/0x150 mm/kasan/common.c:459
 kasan_slab_free+0xe/0x10 mm/kasan/common.c:467
 __cache_free mm/slab.c:3498 [inline]
 kfree+0xcf/0x230 mm/slab.c:3821
 kvfree+0x61/0x70 mm/util.c:459
 netdev_freemem+0x4c/0x60 net/core/dev.c:9078
 netdev_release+0x86/0xb0 net/core/net-sysfs.c:1637
 device_release+0x7d/0x210 drivers/base/core.c:1064
 kobject_cleanup lib/kobject.c:662 [inline]
 kobject_release lib/kobject.c:691 [inline]
 kref_put include/linux/kref.h:67 [inline]
 kobject_put.cold+0x28f/0x2ec lib/kobject.c:708
 netdev_run_todo+0x5cc/0x7d0 net/core/dev.c:8983
 rtnl_unlock+0xe/0x10 net/core/rtnetlink.c:116
 ip_tunnel_delete_nets+0x423/0x5f0 net/ipv4/ip_tunnel.c:1127
 ipgre_tap_exit_batch_net+0x23/0x30 net/ipv4/ip_gre.c:1577
 ops_exit_list.isra.0+0x105/0x160 net/core/net_namespace.c:156
 cleanup_net+0x3fb/0x960 net/core/net_namespace.c:552
 process_one_work+0x98e/0x1790 kernel/workqueue.c:2269
 worker_thread+0x98/0xe40 kernel/workqueue.c:2415
 kthread+0x357/0x430 kernel/kthread.c:253
 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352

The buggy address belongs to the object at ffff88806a322840
 which belongs to the cache kmalloc-4k of size 4096
The buggy address is located 2820 bytes inside of
 4096-byte region [ffff88806a322840, ffff88806a323840)
The buggy address belongs to the page:
page:ffffea0001a8c880 count:1 mapcount:0 mapping:ffff88812c3f0dc0 index:0x0 compound_mapcount: 0
flags: 0x1fffc0000010200(slab|head)
raw: 01fffc0000010200 ffffea0001a8b788 ffffea0001a8cb08 ffff88812c3f0dc0
raw: 0000000000000000 ffff88806a322840 0000000100000001 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88806a323200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88806a323280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88806a323300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                           ^
 ffff88806a323380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88806a323400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (4):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets Title
ci-upstream-net-this-kasan-gce 2019/03/31 15:46 net 288ac524cf70 0c624d4d .config console log report
ci-upstream-net-this-kasan-gce 2019/03/17 10:40 net 517ccc2aa50d bab43553 .config console log report
ci-upstream-net-this-kasan-gce 2018/12/21 17:21 net f0c928d878e7 588075e6 .config console log report
ci-upstream-net-kasan-gce 2018/12/21 11:07 net-next 962ad710f7d6 2b497001 .config console log report
* Struck through repros no longer work on HEAD.