syzbot

 sign-in | mailing list | source | docs
🐞 Open [973] 🐞 Fixed [3869] 🐞 Invalid [8345] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes

KASAN: use-after-free Read in ip6mr_sk_done

Status: internal: reported C repro on 2022/02/05 23:02
Reported-by: syzbot+@syzkaller.appspotmail.com
Fix commit: 7d9b1b578d67 ip6mr: fix use-after-free in ip6mr_sk_done()
Patched on: [ci-qemu-upstream ci-qemu-upstream-386 ci-qemu2-arm32 ci-qemu2-arm64 ci-qemu2-arm64-compat ci-qemu2-arm64-mte ci-upstream-bpf-kasan-gce ci-upstream-bpf-next-kasan-gce ci-upstream-gce-leak ci-upstream-kasan-gce ci-upstream-kasan-gce-386 ci-upstream-kasan-gce-root ci-upstream-kasan-gce-selinux-root ci-upstream-kasan-gce-smack-root ci-upstream-kmsan-gce ci-upstream-kmsan-gce-386 ci-upstream-linux-next-kasan-gce-root ci-upstream-net-kasan-gce ci-upstream-net-this-kasan-gce ci2-upstream-kcsan-gce ci2-upstream-usb], missing on: [ci-qemu2-riscv64]
First crash: 143d, last: 2d02h

Cause bisection: introduced by (bisect log) :
commit f2f2325ec79970807012dfc9e716cdbb02d9b574
Author: Eric Dumazet <edumazet@google.com>
Date: Fri Feb 4 20:15:46 2022 +0000

  ip6mr: ip6mr_sk_done() can exit early in common cases

Crash: KASAN: use-after-free Read in ip6mr_sk_done (log)
Repro: C syz .config

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in instrument_atomic_read include/linux/instrumented.h:71 [inline]
BUG: KASAN: use-after-free in atomic_read include/linux/atomic/atomic-instrumented.h:27 [inline]
BUG: KASAN: use-after-free in ip6mr_sk_done+0x11b/0x410 net/ipv6/ip6mr.c:1578
Read of size 4 at addr ffff88802094d088 by task kworker/u4:5/1037

CPU: 0 PID: 1037 Comm: kworker/u4:5 Not tainted 5.17.0-rc2-syzkaller-00650-g5a8fb33e5305 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: netns cleanup_net
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
 print_address_description.constprop.0.cold+0x8d/0x336 mm/kasan/report.c:255
 __kasan_report mm/kasan/report.c:442 [inline]
 kasan_report.cold+0x83/0xdf mm/kasan/report.c:459
 check_region_inline mm/kasan/generic.c:183 [inline]
 kasan_check_range+0x13d/0x180 mm/kasan/generic.c:189
 instrument_atomic_read include/linux/instrumented.h:71 [inline]
 atomic_read include/linux/atomic/atomic-instrumented.h:27 [inline]
 ip6mr_sk_done+0x11b/0x410 net/ipv6/ip6mr.c:1578
 rawv6_close+0x58/0x80 net/ipv6/raw.c:1201
 inet_release+0x12e/0x280 net/ipv4/af_inet.c:428
 inet6_release+0x4c/0x70 net/ipv6/af_inet6.c:478
 __sock_release net/socket.c:650 [inline]
 sock_release+0x87/0x1b0 net/socket.c:678
 inet_ctl_sock_destroy include/net/inet_common.h:65 [inline]
 igmp6_net_exit+0x6b/0x170 net/ipv6/mcast.c:3173
 ops_exit_list+0xb0/0x170 net/core/net_namespace.c:168
 cleanup_net+0x4ea/0xb00 net/core/net_namespace.c:600
 process_one_work+0x9ac/0x1650 kernel/workqueue.c:2307
 worker_thread+0x657/0x1110 kernel/workqueue.c:2454
 kthread+0x2e9/0x3a0 kernel/kthread.c:377
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
 </TASK>

Allocated by task 49:
 kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
 kasan_set_track mm/kasan/common.c:45 [inline]
 set_alloc_info mm/kasan/common.c:436 [inline]
 ____kasan_kmalloc mm/kasan/common.c:515 [inline]
 ____kasan_kmalloc mm/kasan/common.c:474 [inline]
 __kasan_kmalloc+0xa9/0xd0 mm/kasan/common.c:524
 kmalloc include/linux/slab.h:581 [inline]
 kzalloc include/linux/slab.h:715 [inline]
 set_kthread_struct+0xc5/0x250 kernel/kthread.c:118
 copy_process+0x3783/0x7300 kernel/fork.c:2091
 kernel_clone+0xe7/0xab0 kernel/fork.c:2555
 kernel_thread+0xb5/0xf0 kernel/fork.c:2607
 call_usermodehelper_exec_sync kernel/umh.c:135 [inline]
 call_usermodehelper_exec_work+0x69/0x180 kernel/umh.c:166
 process_one_work+0x9ac/0x1650 kernel/workqueue.c:2307
 worker_thread+0x657/0x1110 kernel/workqueue.c:2454
 kthread+0x2e9/0x3a0 kernel/kthread.c:377
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295

Freed by task 1037:
 kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
 kasan_set_track+0x21/0x30 mm/kasan/common.c:45
 kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:370
 ____kasan_slab_free mm/kasan/common.c:366 [inline]
 ____kasan_slab_free+0x130/0x160 mm/kasan/common.c:328
 kasan_slab_free include/linux/kasan.h:236 [inline]
 slab_free_hook mm/slub.c:1728 [inline]
 slab_free_freelist_hook+0x8b/0x1c0 mm/slub.c:1754
 slab_free mm/slub.c:3509 [inline]
 kfree+0xcb/0x280 mm/slub.c:4562
 ops_exit_list+0xb0/0x170 net/core/net_namespace.c:168
 cleanup_net+0x4ea/0xb00 net/core/net_namespace.c:600
 process_one_work+0x9ac/0x1650 kernel/workqueue.c:2307
 worker_thread+0x657/0x1110 kernel/workqueue.c:2454
 kthread+0x2e9/0x3a0 kernel/kthread.c:377
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295

The buggy address belongs to the object at ffff88802094d000
 which belongs to the cache kmalloc-256 of size 256
The buggy address is located 136 bytes inside of
 256-byte region [ffff88802094d000, ffff88802094d100)
The buggy address belongs to the page:
page:ffffea0000825300 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2094c
head:ffffea0000825300 order:1 compound_mapcount:0
flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000010200 ffffea00007a0300 dead000000000002 ffff888010c41b40
raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 1, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 10, ts 11742720330, free_ts 0
 prep_new_page mm/page_alloc.c:2434 [inline]
 get_page_from_freelist+0xa72/0x2f50 mm/page_alloc.c:4165
 __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5389
 alloc_pages+0x1aa/0x310 mm/mempolicy.c:2271
 alloc_slab_page mm/slub.c:1799 [inline]
 allocate_slab mm/slub.c:1944 [inline]
 new_slab+0x28a/0x3b0 mm/slub.c:2004
 ___slab_alloc+0x87c/0xe90 mm/slub.c:3018
 __slab_alloc.constprop.0+0x4d/0xa0 mm/slub.c:3105
 slab_alloc_node mm/slub.c:3196 [inline]
 slab_alloc mm/slub.c:3238 [inline]
 kmem_cache_alloc_trace+0x289/0x2c0 mm/slub.c:3255
 kmalloc include/linux/slab.h:581 [inline]
 kzalloc include/linux/slab.h:715 [inline]
 set_kthread_struct+0xc5/0x250 kernel/kthread.c:118
 copy_process+0x3783/0x7300 kernel/fork.c:2091
 kernel_clone+0xe7/0xab0 kernel/fork.c:2555
 kernel_thread+0xb5/0xf0 kernel/fork.c:2607
 call_usermodehelper_exec_work kernel/umh.c:174 [inline]
 call_usermodehelper_exec_work+0xcc/0x180 kernel/umh.c:160
 process_one_work+0x9ac/0x1650 kernel/workqueue.c:2307
 worker_thread+0x657/0x1110 kernel/workqueue.c:2454
 kthread+0x2e9/0x3a0 kernel/kthread.c:377
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
page_owner free stack trace missing

Memory state around the buggy address:
 ffff88802094cf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88802094d000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88802094d080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                      ^
 ffff88802094d100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88802094d180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================

Crashes (10772):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-upstream-net-kasan-gce 2022/02/16 05:17 net-next 5a8fb33e5305 8b9ca619 .config log report syz C KASAN: use-after-free Read in ip6mr_sk_done
ci-upstream-net-kasan-gce 2022/02/12 06:58 net-next 5a8fb33e5305 8b9ca619 .config log report syz C KASAN: use-after-free Read in ip6mr_sk_done
ci-upstream-net-kasan-gce 2022/02/09 07:16 net-next 5a8fb33e5305 0b33604d .config log report syz C KASAN: use-after-free Read in ip6mr_sk_done
ci-upstream-net-kasan-gce 2022/02/06 21:12 net-next 5a8fb33e5305 a7dab638 .config log report syz C KASAN: use-after-free Read in ip6mr_sk_done
ci-upstream-net-kasan-gce 2022/02/06 07:15 net-next 5a8fb33e5305 a7dab638 .config log report syz C KASAN: use-after-free Read in ip6mr_sk_done
ci-upstream-kasan-gce-root 2022/06/19 02:07 upstream 4b35035bcf80 8f633d84 .config log report info KASAN: use-after-free Read in ip6mr_sk_done
ci-upstream-kasan-gce 2022/06/01 18:12 upstream 700170bf6b4d 3666edfe .config log report info KASAN: use-after-free Read in ip6mr_sk_done
ci-qemu-upstream-386 2022/06/01 23:03 upstream 8eca6b0a647a b4bc6a3d .config log report info KASAN: use-after-free Read in ip6mr_sk_done
ci-upstream-bpf-kasan-gce 2022/06/21 12:24 bpf a2b1a5d40bd1 0fc5c330 .config log report info KASAN: use-after-free Read in ip6mr_sk_done
ci-upstream-bpf-next-kasan-gce 2022/06/27 03:40 bpf-next fd75733da2f3 a371c43c .config log report info KASAN: use-after-free Read in ip6mr_sk_done
ci-upstream-bpf-next-kasan-gce 2022/06/22 10:16 bpf-next d4609a5d8c70 0fc5c330 .config log report info KASAN: use-after-free Read in ip6mr_sk_done
ci-upstream-bpf-next-kasan-gce 2022/06/18 14:59 bpf-next f5be22c64bd6 8f633d84 .config log report info KASAN: use-after-free Read in ip6mr_sk_done
ci-upstream-bpf-next-kasan-gce 2022/06/16 00:02 bpf-next 3831cd1f9ff6 1719ee24 .config log report info KASAN: use-after-free Read in ip6mr_sk_done
ci-upstream-bpf-next-kasan-gce 2022/06/13 08:12 bpf-next d5e9aeda8161 0d5abf15 .config log report info KASAN: use-after-free Read in ip6mr_sk_done
ci-upstream-bpf-next-kasan-gce 2022/06/10 10:05 bpf-next fe92833524e3 0d5abf15 .config log report info KASAN: use-after-free Read in ip6mr_sk_done
ci-upstream-bpf-next-kasan-gce 2022/06/02 22:47 bpf-next 330eb2a696f2 5783034f .config log report info KASAN: use-after-free Read in ip6mr_sk_done
ci-upstream-bpf-next-kasan-gce 2022/06/01 08:45 bpf-next 4c7cbcc9c097 3666edfe .config log report info KASAN: use-after-free Read in ip6mr_sk_done
ci-upstream-bpf-next-kasan-gce 2022/05/31 16:20 bpf-next 4b4b4f94a4f6 af70c3a9 .config log report info KASAN: use-after-free Read in ip6mr_sk_done
ci-upstream-bpf-next-kasan-gce 2022/05/30 12:35 bpf-next 7e062cda7d90 a46af346 .config log report info KASAN: use-after-free Read in ip6mr_sk_done
ci-upstream-bpf-next-kasan-gce 2022/05/30 08:44 bpf-next 7e062cda7d90 a46af346 .config log report info KASAN: use-after-free Read in ip6mr_sk_done
ci-upstream-bpf-next-kasan-gce 2022/05/30 00:48 bpf-next 7e062cda7d90 a46af346 .config log report info KASAN: use-after-free Read in ip6mr_sk_done
ci-upstream-bpf-next-kasan-gce 2022/05/27 19:17 bpf-next 7e062cda7d90 116e7a7b .config log report info KASAN: use-after-free Read in ip6mr_sk_done
ci-upstream-bpf-next-kasan-gce 2022/05/26 09:43 bpf-next 7e062cda7d90 3037caa9 .config log report info KASAN: use-after-free Read in ip6mr_sk_done
ci-upstream-bpf-next-kasan-gce 2022/05/25 22:22 bpf-next 677fb7525331 647c0e27 .config log report info KASAN: use-after-free Read in ip6mr_sk_done
ci-upstream-bpf-next-kasan-gce 2022/05/25 07:51 bpf-next 677fb7525331 647c0e27 .config log report info KASAN: use-after-free Read in ip6mr_sk_done
ci-upstream-net-kasan-gce 2022/02/19 16:54 net-next 5a8fb33e5305 3cd800e4 .config log report info KASAN: use-after-free Read in ip6mr_sk_done
ci-upstream-net-kasan-gce 2022/02/19 16:23 net-next 5a8fb33e5305 3cd800e4 .config log report info KASAN: use-after-free Read in ip6mr_sk_done
ci-upstream-net-kasan-gce 2022/02/19 15:55 net-next 5a8fb33e5305 3cd800e4 .config log report info KASAN: use-after-free Read in ip6mr_sk_done
ci-upstream-net-kasan-gce 2022/02/19 15:23 net-next 5a8fb33e5305 3cd800e4 .config log report info KASAN: use-after-free Read in ip6mr_sk_done
ci-upstream-net-kasan-gce 2022/02/19 15:13 net-next 5a8fb33e5305 3cd800e4 .config log report info KASAN: use-after-free Read in ip6mr_sk_done
ci-upstream-net-kasan-gce 2022/02/19 14:11 net-next 5a8fb33e5305 3cd800e4 .config log report info KASAN: use-after-free Read in ip6mr_sk_done
ci-upstream-net-kasan-gce 2022/02/19 13:14 net-next 5a8fb33e5305 3cd800e4 .config log report info KASAN: use-after-free Read in ip6mr_sk_done
ci-upstream-net-kasan-gce 2022/02/19 12:14 net-next 5a8fb33e5305 3cd800e4 .config log report info KASAN: use-after-free Read in ip6mr_sk_done
ci-upstream-net-kasan-gce 2022/02/19 11:52 net-next 5a8fb33e5305 3cd800e4 .config log report info KASAN: use-after-free Read in ip6mr_sk_done
ci-upstream-net-kasan-gce 2022/02/19 10:56 net-next 5a8fb33e5305 3cd800e4 .config log report info KASAN: use-after-free Read in ip6mr_sk_done
ci-upstream-net-kasan-gce 2022/02/19 10:20 net-next 5a8fb33e5305 3cd800e4 .config log report info KASAN: use-after-free Read in ip6mr_sk_done
ci-upstream-net-kasan-gce 2022/02/19 09:48 net-next 5a8fb33e5305 3cd800e4 .config log report info KASAN: use-after-free Read in ip6mr_sk_done
ci-upstream-net-kasan-gce 2022/02/19 09:17 net-next 5a8fb33e5305 3cd800e4 .config log report info KASAN: use-after-free Read in ip6mr_sk_done
ci-upstream-net-kasan-gce 2022/02/19 09:02 net-next 5a8fb33e5305 3cd800e4 .config log report info KASAN: use-after-free Read in ip6mr_sk_done
ci-upstream-net-kasan-gce 2022/02/19 08:02 net-next 5a8fb33e5305 3cd800e4 .config log report info KASAN: use-after-free Read in ip6mr_sk_done
ci-upstream-net-kasan-gce 2022/02/19 07:30 net-next 5a8fb33e5305 3cd800e4 .config log report info KASAN: use-after-free Read in ip6mr_sk_done
ci-upstream-net-kasan-gce 2022/02/19 07:08 net-next 5a8fb33e5305 3cd800e4 .config log report info KASAN: use-after-free Read in ip6mr_sk_done
ci-upstream-net-kasan-gce 2022/02/19 06:23 net-next 5a8fb33e5305 3cd800e4 .config log report info KASAN: use-after-free Read in ip6mr_sk_done
ci-upstream-net-kasan-gce 2022/02/19 05:48 net-next 5a8fb33e5305 3cd800e4 .config log report info KASAN: use-after-free Read in ip6mr_sk_done
ci-upstream-net-kasan-gce 2022/02/19 05:25 net-next 5a8fb33e5305 3cd800e4 .config log report info KASAN: use-after-free Read in ip6mr_sk_done
ci-upstream-net-kasan-gce 2022/02/19 05:02 net-next 5a8fb33e5305 3cd800e4 .config log report info KASAN: use-after-free Read in ip6mr_sk_done
ci-upstream-net-kasan-gce 2022/02/19 04:22 net-next 5a8fb33e5305 3cd800e4 .config log report info KASAN: use-after-free Read in ip6mr_sk_done
ci-upstream-net-kasan-gce 2022/02/19 03:43 net-next 5a8fb33e5305 3cd800e4 .config log report info KASAN: use-after-free Read in ip6mr_sk_done
ci-upstream-net-kasan-gce 2022/02/19 02:44 net-next 5a8fb33e5305 3cd800e4 .config log report info KASAN: use-after-free Read in ip6mr_sk_done
ci-upstream-net-kasan-gce 2022/02/19 02:12 net-next 5a8fb33e5305 3cd800e4 .config log report info KASAN: use-after-free Read in ip6mr_sk_done
ci-upstream-net-kasan-gce 2022/02/19 01:40 net-next 5a8fb33e5305 3cd800e4 .config log report info KASAN: use-after-free Read in ip6mr_sk_done
ci-upstream-net-kasan-gce 2022/02/19 01:09 net-next 5a8fb33e5305 3cd800e4 .config log report info KASAN: use-after-free Read in ip6mr_sk_done
ci-upstream-net-kasan-gce 2022/02/19 00:16 net-next 5a8fb33e5305 3cd800e4 .config log report info KASAN: use-after-free Read in ip6mr_sk_done
ci-upstream-net-kasan-gce 2022/02/05 23:02 net-next 5a8fb33e5305 a7dab638 .config log report info KASAN: use-after-free Read in ip6mr_sk_done
ci-upstream-net-kasan-gce 2022/02/07 06:00 net-next 5a8fb33e5305 a7dab638 .config log report info KFENCE: use-after-free in ip6mr_sk_done