syzbot

 sign-in | mailing list | source | docs
🐞 Open [1490]
Subsystems
🐞 Fixed [6580]
🐞 Invalid [16829]
Missing Backports [204]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
Total Repo Heatmap Subsystems Heatmap
💬 Send us feedback

KASAN: use-after-free Read in rhashtable_last_table

Status: closed as invalid on 2019/04/19 22:15
Subsystems: net
[Documentation on labels]
First crash: 2542d, last: 2430d
Similar bugs (6)
Kernel Title Rank 🛈 Repro Cause bisect Fix bisect Count Last Reported Patched Status
android-49 KASAN: use-after-free Read in rhashtable_last_table 19 2 2125d 2207d 0/3 auto-closed as invalid on 2020/03/20 18:26
upstream KASAN: use-after-free Read in rhashtable_last_table (2) net 19 1 2307d 2307d 12/29 fixed on 2019/08/05 13:45
linux-4.19 KASAN: use-after-free Read in rhashtable_last_table 19 2 1581d 1655d 0/1 auto-closed as invalid on 2021/09/15 21:37
linux-4.19 KASAN: use-after-free Read in rhashtable_last_table (2) 19 1 1375d 1375d 0/1 auto-closed as invalid on 2022/04/09 15:34
linux-4.19 KASAN: use-after-free Read in rhashtable_last_table (3) 19 1 1142d 1142d 0/1 auto-obsoleted due to no activity on 2022/11/27 23:30
linux-4.14 KASAN: use-after-free Read in rhashtable_last_table 19 1 1614d 1614d 0/1 auto-closed as invalid on 2021/08/13 13:57

Sample crash report:
bridge0: port 1(bridge_slave_0) entered blocking state
bridge0: port 1(bridge_slave_0) entered disabled state
device bridge_slave_0 entered promiscuous mode
bridge0: port 2(bridge_slave_1) entered blocking state
==================================================================
BUG: KASAN: use-after-free in __read_once_size include/linux/compiler.h:191 [inline]
BUG: KASAN: use-after-free in rhashtable_last_table+0x220/0x250 lib/rhashtable.c:217
bridge0: port 2(bridge_slave_1) entered disabled state
Read of size 8 at addr ffff88808c993280 by task kworker/0:2/23357

CPU: 0 PID: 23357 Comm: kworker/0:2 Not tainted 5.0.0-rc1+ #17
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events rht_deferred_worker
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1db/0x2d0 lib/dump_stack.c:113
 print_address_description.cold+0x7c/0x20d mm/kasan/report.c:187
device bridge_slave_1 entered promiscuous mode
 kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317
 __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:135
 __read_once_size include/linux/compiler.h:191 [inline]
 rhashtable_last_table+0x220/0x250 lib/rhashtable.c:217
 rht_deferred_worker+0x126/0x1de0 lib/rhashtable.c:410
 process_one_work+0xd0c/0x1ce0 kernel/workqueue.c:2153
 worker_thread+0x143/0x14a0 kernel/workqueue.c:2296
 kthread+0x357/0x430 kernel/kthread.c:246
 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352

Allocated by task 18331:
 save_stack+0x45/0xd0 mm/kasan/common.c:73
 set_track mm/kasan/common.c:85 [inline]
 __kasan_kmalloc mm/kasan/common.c:496 [inline]
 __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:469
 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:504
 __do_kmalloc_node mm/slab.c:3673 [inline]
 __kmalloc_node+0x4e/0x70 mm/slab.c:3680
 kmalloc_node include/linux/slab.h:588 [inline]
 kvmalloc_node+0x68/0x100 mm/util.c:416
 kvmalloc include/linux/mm.h:604 [inline]
 kvzalloc include/linux/mm.h:612 [inline]
 bucket_table_alloc+0x9f/0x540 lib/rhashtable.c:176
 rhashtable_init+0x525/0xa60 lib/rhashtable.c:1065
 inet_frags_init_net include/net/inet_frag.h:111 [inline]
 ipv6_frags_init_net+0x1de/0x4d0 net/ipv6/reassembly.c:635
 ops_init+0x109/0x5d0 net/core/net_namespace.c:129
 setup_net+0x326/0x8c0 net/core/net_namespace.c:314
 copy_net_ns+0x2ae/0x4b0 net/core/net_namespace.c:437
 create_new_namespaces+0x4ce/0x930 kernel/nsproxy.c:107
 unshare_nsproxy_namespaces+0xc2/0x200 kernel/nsproxy.c:206
 ksys_unshare+0x6d7/0xfb0 kernel/fork.c:2550
 __do_sys_unshare kernel/fork.c:2618 [inline]
 __se_sys_unshare kernel/fork.c:2616 [inline]
 __x64_sys_unshare+0x31/0x40 kernel/fork.c:2616
 do_syscall_64+0x1a3/0x800 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 7752:
 save_stack+0x45/0xd0 mm/kasan/common.c:73
 set_track mm/kasan/common.c:85 [inline]
 __kasan_slab_free+0x102/0x150 mm/kasan/common.c:458
 kasan_slab_free+0xe/0x10 mm/kasan/common.c:466
 __cache_free mm/slab.c:3487 [inline]
 kfree+0xcf/0x230 mm/slab.c:3806
 kvfree+0x61/0x70 mm/util.c:445
 bucket_table_free+0xde/0x260 lib/rhashtable.c:108
 rhashtable_free_and_destroy+0x155/0x8f0 lib/rhashtable.c:1163
 inet_frags_exit_net+0x3d/0x50 net/ipv4/inet_fragment.c:96
 ipv6_frags_exit_net+0x86/0xa0 net/ipv6/reassembly.c:648
 ops_exit_list.isra.0+0xb0/0x160 net/core/net_namespace.c:153
 cleanup_net+0x51d/0xb10 net/core/net_namespace.c:551
 process_one_work+0xd0c/0x1ce0 kernel/workqueue.c:2153
 worker_thread+0x143/0x14a0 kernel/workqueue.c:2296
 kthread+0x357/0x430 kernel/kthread.c:246
 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352

The buggy address belongs to the object at ffff88808c993240
 which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 64 bytes inside of
 1024-byte region [ffff88808c993240, ffff88808c993640)
The buggy address belongs to the page:
page:ffffea0002326480 count:1 mapcount:0 mapping:ffff88812c3f0ac0 index:0xffff88808c9924c0 compound_mapcount: 0
flags: 0x1fffc0000010200(slab|head)
raw: 01fffc0000010200 ffffea000277d788 ffffea00028c1388 ffff88812c3f0ac0
raw: ffff88808c9924c0 ffff88808c992040 0000000100000003 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88808c993180: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff88808c993200: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
>ffff88808c993280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                   ^
 ffff88808c993300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88808c993380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
bond0: Enslaving bond_slave_0 as an active interface with an up link
bond0: Enslaving bond_slave_1 as an active interface with an up link
IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready
team0: Port device team_slave_0 added

Crashes (4):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2019/01/10 10:56 upstream 4064e47c8281 45c0c1b1 .config console log report ci-upstream-kasan-gce-root
2019/01/20 11:34 upstream b0efca46b570 353f32ea .config console log report ci-upstream-kasan-gce-386
2018/11/01 07:01 net-old d48051c5b837 1f38e9ae .config console log report ci-upstream-net-this-kasan-gce
2018/09/30 19:37 bpf 4288ea006c73 41e4b329 .config console log report ci-upstream-bpf-kasan-gce
* Struck through repros no longer work on HEAD.