syzbot


KASAN: use-after-free Read in pppol2tp_connect

Status: auto-closed as invalid on 2019/02/22 12:37
First crash: 2278d, last: 2073d
Similar bugs (5)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
android-44 KASAN: use-after-free Read in pppol2tp_connect C 28 2055d 1829d 0/2 public: reported C repro on 2019/04/13 00:00
upstream KASAN: use-after-free Read in pppol2tp_connect (2) net C 10 2215d 2230d 4/26 fixed on 2018/03/23 18:14
linux-4.14 KASAN: use-after-free Read in pppol2tp_connect syz inconclusive 7 1416d 1663d 0/1 upstream: reported syz repro on 2019/09/25 11:59
upstream KASAN: use-after-free Read in pppol2tp_connect (3) net C 22 2195d 2213d 5/26 fixed on 2018/05/08 18:30
upstream KASAN: use-after-free Read in pppol2tp_connect net C 25 2231d 2281d 4/26 fixed on 2018/03/06 13:29

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in __read_once_size include/linux/compiler.h:243 [inline]
BUG: KASAN: use-after-free in sk_dst_get include/net/sock.h:1695 [inline]
BUG: KASAN: use-after-free in pppol2tp_connect+0x1580/0x18f0 net/l2tp/l2tp_ppp.c:746
Read of size 8 at addr ffff8801ced401d8 by task syz-executor7/9507

CPU: 0 PID: 9507 Comm: syz-executor7 Not tainted 4.9.119-g9dc978d #75
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801a16d7ad0 ffffffff81eb4be9 ffffea00073b5000 ffff8801ced401d8
 0000000000000000 ffff8801ced401d8 0000000000000000 ffff8801a16d7b08
 ffffffff81567f89 ffff8801ced401d8 0000000000000008 0000000000000000
Call Trace:
 [<ffffffff81eb4be9>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81eb4be9>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff81567f89>] print_address_description+0x6c/0x234 mm/kasan/report.c:256
 [<ffffffff81568393>] kasan_report_error mm/kasan/report.c:355 [inline]
 [<ffffffff81568393>] kasan_report.cold.6+0x242/0x2fe mm/kasan/report.c:412
 [<ffffffff8153bf14>] __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
 [<ffffffff836c94a0>] __read_once_size include/linux/compiler.h:243 [inline]
 [<ffffffff836c94a0>] sk_dst_get include/net/sock.h:1695 [inline]
 [<ffffffff836c94a0>] pppol2tp_connect+0x1580/0x18f0 net/l2tp/l2tp_ppp.c:746
 [<ffffffff83019958>] SYSC_connect+0x1b8/0x300 net/socket.c:1563
 [<ffffffff8301c224>] SyS_connect+0x24/0x30 net/socket.c:1544
 [<ffffffff81006316>] do_syscall_64+0x1a6/0x490 arch/x86/entry/common.c:282
 [<ffffffff839fccd3>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb

Allocated by task 8791:
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:505
 set_track mm/kasan/kasan.c:517 [inline]
 kasan_kmalloc+0xc7/0xe0 mm/kasan/kasan.c:609
 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:547
 slab_post_alloc_hook mm/slab.h:417 [inline]
 slab_alloc_node mm/slub.c:2715 [inline]
 slab_alloc mm/slub.c:2723 [inline]
 kmem_cache_alloc+0xbe/0x290 mm/slub.c:2728
 sk_prot_alloc+0x69/0x290 net/core/sock.c:1332
 sk_alloc+0x3a/0x3a0 net/core/sock.c:1394
 inet6_create+0x2d9/0xd80 net/ipv6/af_inet6.c:198
 __sock_create+0x2ef/0x5f0 net/socket.c:1183
 sock_create net/socket.c:1223 [inline]
 SYSC_socket net/socket.c:1253 [inline]
 SyS_socket+0xf0/0x1b0 net/socket.c:1233
 do_syscall_64+0x1a6/0x490 arch/x86/entry/common.c:282
 entry_SYSCALL_64_after_swapgs+0x5d/0xdb

Freed by task 8874:
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:505
 set_track mm/kasan/kasan.c:517 [inline]
 kasan_slab_free+0x72/0xc0 mm/kasan/kasan.c:582
 slab_free_hook mm/slub.c:1355 [inline]
 slab_free_freelist_hook mm/slub.c:1377 [inline]
 slab_free mm/slub.c:2958 [inline]
 kmem_cache_free+0xbe/0x310 mm/slub.c:2980
 sk_prot_free net/core/sock.c:1375 [inline]
 __sk_destruct+0x3b9/0x590 net/core/sock.c:1455
 __rcu_reclaim kernel/rcu/rcu.h:118 [inline]
 rcu_do_batch kernel/rcu/tree.c:2789 [inline]
 invoke_rcu_callbacks kernel/rcu/tree.c:3053 [inline]
 __rcu_process_callbacks kernel/rcu/tree.c:3020 [inline]
 rcu_process_callbacks+0x8ae/0x12b0 kernel/rcu/tree.c:3037
 __do_softirq+0x20b/0x937 kernel/softirq.c:284

The buggy address belongs to the object at ffff8801ced40000
 which belongs to the cache UDPv6 of size 1496
The buggy address is located 472 bytes inside of
 1496-byte region [ffff8801ced40000, ffff8801ced405d8)
The buggy address belongs to the page:
page:ffffea00073b5000 count:1 mapcount:0 mapping:          (null) index:0x0 compound_mapcount: 0
flags: 0x8000000000004080(slab|head)
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8801ced40080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8801ced40100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8801ced40180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                    ^
 ffff8801ced40200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8801ced40280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (8):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2018/08/11 23:34 https://android.googlesource.com/kernel/common android-4.9 9dc978d43ec7 7a88b141 .config console log report ci-android-49-kasan-gce
2018/08/08 01:21 https://android.googlesource.com/kernel/common android-4.9 47b77b8d01c4 1beb8136 .config console log report ci-android-49-kasan-gce-root
2018/07/15 17:29 https://android.googlesource.com/kernel/common android-4.9 9e7903954483 92a49505 .config console log report ci-android-49-kasan-gce-root
2018/05/18 10:10 https://android.googlesource.com/kernel/common android-4.9 73fdfa38c59d c992b767 .config console log report ci-android-49-kasan-gce
2018/01/31 11:00 https://android.googlesource.com/kernel/common android-4.9 7be198545491 02553e22 .config console log report ci-android-49-kasan-gce
2018/01/18 23:34 https://android.googlesource.com/kernel/common android-4.9 87883134eb71 161c1d64 .config console log report ci-android-49-kasan-gce
2018/03/01 04:02 https://android.googlesource.com/kernel/common android-4.9 6e463bb69c99 05b5a32c .config console log report ci-android-49-kasan-gce-386
2018/02/21 20:52 https://android.googlesource.com/kernel/common android-4.9 7ec482be026a 04cbdbd1 .config console log report ci-android-49-kasan-gce-386
* Struck through repros no longer work on HEAD.