| Title | Replies (including bot) | Last reply |
|---|---|---|
| KASAN: use-after-free Read in ip6_pol_route (2) | 0 (1) | 2021/02/19 09:34 |
syzbot |
sign-in | mailing list | source | docs |
| π Open [875] β‘ Subsystems π Fixed [4875] π Invalid [11645] β¬ Missing Backports [68] π Kernel Health π Bug Lifetimes π Fuzzing π Crashes | π¬ Send us feedback |
| Title | Replies (including bot) | Last reply |
|---|---|---|
| KASAN: use-after-free Read in ip6_pol_route (2) | 0 (1) | 2021/02/19 09:34 |
| Kernel | Title | Repro | Cause bisect | Fix bisect | Count | Last | Reported | Patched | Status |
|---|---|---|---|---|---|---|---|---|---|
| upstream | KASAN: use-after-free Read in ip6_pol_route | 249 | 2294d | 2302d | 3/25 | fixed on 2017/10/24 06:54 | |||
| upstream | Internal error in ip6_pol_route net | 2 | 22d | 45d | 0/25 | upstream: reported on 2023/10/18 09:15 |
| Created | Duration | User | Patch | Repo | Result |
|---|---|---|---|---|---|
| 2022/09/19 13:29 | 18m | retest repro | net-next-old | OK log | |
| 2021/03/25 21:49 | 19m | alaaemadhossney.ae@gmail.com | git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next.git master | OK |
| Created | Duration | User | Patch | Repo | Result |
|---|---|---|---|---|---|
| 2021/02/18 18:22 | 6h45m | bisect | net-next-old | job log (1) log | |
| 2021/02/15 02:03 | 0m | bisect | net-next-old | error job log (0) |
================================================================== BUG: KASAN: use-after-free in rt6_get_pcpu_route net/ipv6/route.c:1413 [inline] BUG: KASAN: use-after-free in ip6_pol_route+0x1087/0x11c0 net/ipv6/route.c:2265 Read of size 4 at addr ffff8880130c3bb8 by task syz-executor292/8981 CPU: 1 PID: 8981 Comm: syz-executor292 Not tainted 5.11.0-rc7-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x107/0x163 lib/dump_stack.c:120 print_address_description.constprop.0.cold+0x5b/0x2f8 mm/kasan/report.c:230 __kasan_report mm/kasan/report.c:396 [inline] kasan_report.cold+0x79/0xd5 mm/kasan/report.c:413 rt6_get_pcpu_route net/ipv6/route.c:1413 [inline] ip6_pol_route+0x1087/0x11c0 net/ipv6/route.c:2265 pol_lookup_func include/net/ip6_fib.h:579 [inline] fib6_rule_lookup+0x52a/0x6f0 net/ipv6/fib6_rules.c:120 ip6_route_output_flags_noref+0x2e2/0x380 net/ipv6/route.c:2512 ip6_route_output_flags+0x8b/0x310 net/ipv6/route.c:2525 ip6_route_output include/net/ip6_route.h:98 [inline] ip6_dst_lookup_tail+0xb6e/0x1740 net/ipv6/ip6_output.c:1064 ip6_dst_lookup_flow+0x8c/0x1d0 net/ipv6/ip6_output.c:1194 tcp_v6_connect+0xdb3/0x1df0 net/ipv6/tcp_ipv6.c:283 __inet_stream_connect+0x8c5/0xee0 net/ipv4/af_inet.c:661 inet_stream_connect+0x53/0xa0 net/ipv4/af_inet.c:725 mptcp_stream_connect+0x156/0x800 net/mptcp/protocol.c:3200 __sys_connect_file+0x155/0x1a0 net/socket.c:1835 __sys_connect+0x161/0x190 net/socket.c:1852 __do_sys_connect net/socket.c:1862 [inline] __se_sys_connect net/socket.c:1859 [inline] __x64_sys_connect+0x6f/0xb0 net/socket.c:1859 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x449b09 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f791eff4318 EFLAGS: 00000246 ORIG_RAX: 000000000000002a RAX: ffffffffffffffda RBX: 00000000004cf4c8 RCX: 0000000000449b09 RDX: 000000000000001c RSI: 0000000020000040 RDI: 0000000000000003 RBP: 00000000004cf4c0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004cf4cc R13: 00007ffeaa51511f R14: 00007f791eff4400 R15: 0000000000022000 Allocated by task 8626: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38 kasan_set_track mm/kasan/common.c:46 [inline] set_alloc_info mm/kasan/common.c:401 [inline] ____kasan_kmalloc.constprop.0+0x82/0xa0 mm/kasan/common.c:429 kasan_slab_alloc include/linux/kasan.h:209 [inline] slab_post_alloc_hook mm/slab.h:512 [inline] slab_alloc_node mm/slub.c:2892 [inline] slab_alloc mm/slub.c:2900 [inline] kmem_cache_alloc+0x1c6/0x440 mm/slub.c:2905 dst_alloc+0x9e/0x650 net/core/dst.c:93 ip6_dst_alloc+0x2e/0x100 net/ipv6/route.c:358 ip6_rt_pcpu_alloc net/ipv6/route.c:1386 [inline] rt6_make_pcpu_route net/ipv6/route.c:1434 [inline] ip6_pol_route+0x910/0x11c0 net/ipv6/route.c:2268 pol_lookup_func include/net/ip6_fib.h:579 [inline] fib6_rule_lookup+0x52a/0x6f0 net/ipv6/fib6_rules.c:120 ip6_route_output_flags_noref+0x2e2/0x380 net/ipv6/route.c:2512 ip6_route_output_flags+0x8b/0x310 net/ipv6/route.c:2525 ip6_route_output include/net/ip6_route.h:98 [inline] ip6_dst_lookup_tail+0xb6e/0x1740 net/ipv6/ip6_output.c:1064 ip6_dst_lookup_flow+0x8c/0x1d0 net/ipv6/ip6_output.c:1194 tcp_v6_connect+0xdb3/0x1df0 net/ipv6/tcp_ipv6.c:283 __inet_stream_connect+0x8c5/0xee0 net/ipv4/af_inet.c:661 inet_stream_connect+0x53/0xa0 net/ipv4/af_inet.c:725 mptcp_stream_connect+0x156/0x800 net/mptcp/protocol.c:3200 __sys_connect_file+0x155/0x1a0 net/socket.c:1835 __sys_connect+0x161/0x190 net/socket.c:1852 __do_sys_connect net/socket.c:1862 [inline] __se_sys_connect net/socket.c:1859 [inline] __x64_sys_connect+0x6f/0xb0 net/socket.c:1859 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Freed by task 18: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38 kasan_set_track+0x1c/0x30 mm/kasan/common.c:46 kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:356 ____kasan_slab_free+0xe1/0x110 mm/kasan/common.c:362 kasan_slab_free include/linux/kasan.h:192 [inline] slab_free_hook mm/slub.c:1547 [inline] slab_free_freelist_hook+0x5d/0x150 mm/slub.c:1580 slab_free mm/slub.c:3143 [inline] kmem_cache_free+0x82/0x350 mm/slub.c:3159 dst_destroy+0x2bc/0x3c0 net/core/dst.c:129 rcu_do_batch kernel/rcu/tree.c:2489 [inline] rcu_core+0x5eb/0xf00 kernel/rcu/tree.c:2723 __do_softirq+0x29b/0x9f6 kernel/softirq.c:343 Last potentially related work creation: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38 kasan_record_aux_stack+0xc5/0xf0 mm/kasan/generic.c:344 __call_rcu kernel/rcu/tree.c:2965 [inline] call_rcu+0xbb/0x700 kernel/rcu/tree.c:3038 dst_release net/core/dst.c:179 [inline] dst_release+0x79/0xe0 net/core/dst.c:169 sk_dst_set include/net/sock.h:1999 [inline] sk_dst_reset include/net/sock.h:2011 [inline] ipv6_update_options+0x18c/0x3e0 net/ipv6/ipv6_sockglue.c:114 ipv6_set_opt_hdr net/ipv6/ipv6_sockglue.c:383 [inline] do_ipv6_setsockopt.constprop.0+0x940/0x41f0 net/ipv6/ipv6_sockglue.c:657 ipv6_setsockopt+0xd6/0x180 net/ipv6/ipv6_sockglue.c:1003 tcp_setsockopt+0x136/0x2440 net/ipv4/tcp.c:3636 mptcp_setsockopt+0x612/0x780 net/mptcp/protocol.c:2862 __sys_setsockopt+0x2db/0x610 net/socket.c:2115 __do_sys_setsockopt net/socket.c:2126 [inline] __se_sys_setsockopt net/socket.c:2123 [inline] __x64_sys_setsockopt+0xba/0x150 net/socket.c:2123 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 The buggy address belongs to the object at ffff8880130c3b40 which belongs to the cache ip6_dst_cache of size 232 The buggy address is located 120 bytes inside of 232-byte region [ffff8880130c3b40, ffff8880130c3c28) The buggy address belongs to the page: page:000000007c3a5b1c refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x130c3 flags: 0xfff00000000200(slab) raw: 00fff00000000200 dead000000000100 dead000000000122 ffff888020ff5500 raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8880130c3a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc ffff8880130c3b00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb >ffff8880130c3b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8880130c3c00: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc ffff8880130c3c80: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================
| Time | Kernel | Commit | Syzkaller | Config | Log | Report | Syz repro | C repro | VM info | Assets (help?) | Manager | Title |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2021/02/15 01:46 | net-next-old | c4762993129f | 98682e5e | .config | console log | report | syz | C | ci-upstream-net-kasan-gce | KASAN: use-after-free Read in ip6_pol_route | ||
| 2021/08/19 12:41 | upstream | d6d09a694205 | a2fe1cb5 | .config | console log | report | info | ci-upstream-kasan-gce-root | KASAN: use-after-free Read in ip6_pol_route | |||
| 2021/03/02 05:47 | net-old | 73f476aa1975 | 183afb6c | .config | console log | report | info | ci-upstream-net-this-kasan-gce | KASAN: use-after-free Read in ip6_pol_route | |||
| 2021/02/15 01:23 | net-next-old | c4762993129f | 98682e5e | .config | console log | report | info | ci-upstream-net-kasan-gce | KASAN: use-after-free Read in ip6_pol_route | |||
| 2022/04/30 22:19 | net-old | a9384a4c1d25 | 2df221f6 | .config | console log | report | info | ci-upstream-net-this-kasan-gce | general protection fault in ip6_pol_route | |||
| 2022/04/06 04:31 | net-old | 11f8e7c122ce | 0127c10f | .config | console log | report | info | ci-upstream-net-this-kasan-gce | general protection fault in ip6_pol_route | |||
| 2022/02/06 18:47 | bpf | fe68195daf34 | a7dab638 | .config | console log | report | info | ci-upstream-bpf-kasan-gce | KASAN: slab-out-of-bounds Read in ip6_pol_route | |||
| 2021/10/02 23:24 | bpf | b0e875bac0fa | db0f5787 | .config | console log | report | info | ci-upstream-bpf-kasan-gce | KASAN: slab-out-of-bounds Read in ip6_pol_route | |||
| 2021/05/28 01:25 | bpf-next | d6a6a55518c1 | 858ea628 | .config | console log | report | info | ci-upstream-bpf-next-kasan-gce | general protection fault in ip6_pol_route |