syzbot


KASAN: slab-use-after-free Read in nla_put

Status: closed as invalid on 2024/11/27 19:42
Subsystems: rdma
[Documentation on labels]
First crash: 62d, last: 62d

Sample crash report:
infiniband syz2: RDMA CMA: cma_listen_on_dev, error -98
lo speed is unknown, defaulting to 1000
lo speed is unknown, defaulting to 1000
==================================================================
BUG: KASAN: slab-use-after-free in __nla_put lib/nlattr.c:1041 [inline]
BUG: KASAN: slab-use-after-free in nla_put+0x158/0x1bc lib/nlattr.c:1099
Read of size 5 at addr ffff000011a80a00 by task syz.1.6937/17506

CPU: 1 UID: 0 PID: 17506 Comm: syz.1.6937 Not tainted 6.12.0-rc4-syzkaller-00085-g4e46774408d9 #0
Hardware name: linux,dummy-virt (DT)
Call trace:
 dump_backtrace+0x9c/0x11c arch/arm64/kernel/stacktrace.c:319
 show_stack+0x18/0x24 arch/arm64/kernel/stacktrace.c:326
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0xa4/0xf4 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:377 [inline]
 print_report+0xf4/0x5a4 mm/kasan/report.c:488
 kasan_report+0xc8/0x108 mm/kasan/report.c:601
 check_region_inline mm/kasan/generic.c:175 [inline]
 kasan_check_range+0x100/0x1a8 mm/kasan/generic.c:189
 memcpy+0x3c/0x9c mm/kasan/shadow.c:74
 __nla_put lib/nlattr.c:1041 [inline]
 nla_put+0x158/0x1bc lib/nlattr.c:1099
 nla_put_string include/net/netlink.h:1617 [inline]
 fill_nldev_handle+0xf0/0x174 drivers/infiniband/core/nldev.c:265
 rdma_nl_notify_event+0x18c/0x784 drivers/infiniband/core/nldev.c:2825
 ib_device_notify_register drivers/infiniband/core/device.c:1360 [inline]
 ib_register_device drivers/infiniband/core/device.c:1476 [inline]
 ib_register_device+0x5fc/0x9bc drivers/infiniband/core/device.c:1395
 siw_device_register drivers/infiniband/sw/siw/siw_main.c:72 [inline]
 siw_newlink+0xa68/0xd74 drivers/infiniband/sw/siw/siw_main.c:452
 nldev_newlink+0x258/0x444 drivers/infiniband/core/nldev.c:1795
 rdma_nl_rcv_msg+0x274/0x56c drivers/infiniband/core/netlink.c:195
 rdma_nl_rcv_skb.constprop.0.isra.0+0x204/0x340 drivers/infiniband/core/netlink.c:239
 rdma_nl_rcv+0x10/0x1c drivers/infiniband/core/netlink.c:259
 netlink_unicast_kernel net/netlink/af_netlink.c:1331 [inline]
 netlink_unicast+0x3c0/0x670 net/netlink/af_netlink.c:1357
 netlink_sendmsg+0x654/0xa4c net/netlink/af_netlink.c:1901
 sock_sendmsg_nosec net/socket.c:729 [inline]
 __sock_sendmsg+0xc8/0x168 net/socket.c:744
 ____sys_sendmsg+0x54c/0x6dc net/socket.c:2607
 ___sys_sendmsg+0x11c/0x19c net/socket.c:2661
 __sys_sendmsg+0xe0/0x174 net/socket.c:2690
 __do_sys_sendmsg net/socket.c:2699 [inline]
 __se_sys_sendmsg net/socket.c:2697 [inline]
 __arm64_sys_sendmsg+0x70/0xa0 net/socket.c:2697
 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
 invoke_syscall+0x6c/0x258 arch/arm64/kernel/syscall.c:49
 el0_svc_common.constprop.0+0xac/0x230 arch/arm64/kernel/syscall.c:132
 do_el0_svc+0x40/0x58 arch/arm64/kernel/syscall.c:151
 el0_svc+0x50/0x180 arch/arm64/kernel/entry-common.c:712
 el0t_64_sync_handler+0x100/0x12c arch/arm64/kernel/entry-common.c:730
 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598

Allocated by task 17506:
 kasan_save_stack+0x3c/0x64 mm/kasan/common.c:47
 kasan_save_track+0x20/0x3c mm/kasan/common.c:68
 kasan_save_alloc_info+0x40/0x54 mm/kasan/generic.c:565
 poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
 __kasan_kmalloc+0xb8/0xbc mm/kasan/common.c:394
 kasan_kmalloc include/linux/kasan.h:257 [inline]
 __do_kmalloc_node mm/slub.c:4264 [inline]
 __kmalloc_node_track_caller_noprof+0x1e8/0x428 mm/slub.c:4283
 kstrdup+0x48/0x90 mm/util.c:64
 kstrdup_const+0x40/0x4c mm/util.c:87
 kvasprintf_const+0x1b0/0x1e0 lib/kasprintf.c:46
 kobject_set_name_vargs+0x5c/0x118 lib/kobject.c:274
 dev_set_name+0xa4/0xdc drivers/base/core.c:3478
 assign_name drivers/infiniband/core/device.c:1218 [inline]
 ib_register_device+0x534/0x9bc drivers/infiniband/core/device.c:1400
 siw_device_register drivers/infiniband/sw/siw/siw_main.c:72 [inline]
 siw_newlink+0xa68/0xd74 drivers/infiniband/sw/siw/siw_main.c:452
 nldev_newlink+0x258/0x444 drivers/infiniband/core/nldev.c:1795
 rdma_nl_rcv_msg+0x274/0x56c drivers/infiniband/core/netlink.c:195
 rdma_nl_rcv_skb.constprop.0.isra.0+0x204/0x340 drivers/infiniband/core/netlink.c:239
 rdma_nl_rcv+0x10/0x1c drivers/infiniband/core/netlink.c:259
 netlink_unicast_kernel net/netlink/af_netlink.c:1331 [inline]
 netlink_unicast+0x3c0/0x670 net/netlink/af_netlink.c:1357
 netlink_sendmsg+0x654/0xa4c net/netlink/af_netlink.c:1901
 sock_sendmsg_nosec net/socket.c:729 [inline]
 __sock_sendmsg+0xc8/0x168 net/socket.c:744
 ____sys_sendmsg+0x54c/0x6dc net/socket.c:2607
 ___sys_sendmsg+0x11c/0x19c net/socket.c:2661
 __sys_sendmsg+0xe0/0x174 net/socket.c:2690
 __do_sys_sendmsg net/socket.c:2699 [inline]
 __se_sys_sendmsg net/socket.c:2697 [inline]
 __arm64_sys_sendmsg+0x70/0xa0 net/socket.c:2697
 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
 invoke_syscall+0x6c/0x258 arch/arm64/kernel/syscall.c:49
 el0_svc_common.constprop.0+0xac/0x230 arch/arm64/kernel/syscall.c:132
 do_el0_svc+0x40/0x58 arch/arm64/kernel/syscall.c:151
 el0_svc+0x50/0x180 arch/arm64/kernel/entry-common.c:712
 el0t_64_sync_handler+0x100/0x12c arch/arm64/kernel/entry-common.c:730
 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598

Freed by task 17509:
 kasan_save_stack+0x3c/0x64 mm/kasan/common.c:47
 kasan_save_track+0x20/0x3c mm/kasan/common.c:68
 kasan_save_free_info+0x4c/0x74 mm/kasan/generic.c:579
 poison_slab_object mm/kasan/common.c:247 [inline]
 __kasan_slab_free+0x50/0x6c mm/kasan/common.c:264
 kasan_slab_free include/linux/kasan.h:230 [inline]
 slab_free_hook mm/slub.c:2342 [inline]
 slab_free mm/slub.c:4579 [inline]
 kfree+0x130/0x460 mm/slub.c:4727
 kfree_const+0x34/0x40 mm/util.c:43
 kobject_rename+0x120/0x1ec lib/kobject.c:524
 device_rename+0xc8/0x1c0 drivers/base/core.c:4545
 ib_device_rename+0xdc/0x3cc drivers/infiniband/core/device.c:419
 nldev_set_doit+0x264/0x328 drivers/infiniband/core/nldev.c:1146
 rdma_nl_rcv_msg+0x274/0x56c drivers/infiniband/core/netlink.c:195
 rdma_nl_rcv_skb.constprop.0.isra.0+0x204/0x340 drivers/infiniband/core/netlink.c:239
 rdma_nl_rcv+0x10/0x1c drivers/infiniband/core/netlink.c:259
 netlink_unicast_kernel net/netlink/af_netlink.c:1331 [inline]
 netlink_unicast+0x3c0/0x670 net/netlink/af_netlink.c:1357
 netlink_sendmsg+0x654/0xa4c net/netlink/af_netlink.c:1901
 sock_sendmsg_nosec net/socket.c:729 [inline]
 __sock_sendmsg+0xc8/0x168 net/socket.c:744
 ____sys_sendmsg+0x54c/0x6dc net/socket.c:2607
 ___sys_sendmsg+0x11c/0x19c net/socket.c:2661
 __sys_sendmsg+0xe0/0x174 net/socket.c:2690
 __do_sys_sendmsg net/socket.c:2699 [inline]
 __se_sys_sendmsg net/socket.c:2697 [inline]
 __arm64_sys_sendmsg+0x70/0xa0 net/socket.c:2697
 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
 invoke_syscall+0x6c/0x258 arch/arm64/kernel/syscall.c:49
 el0_svc_common.constprop.0+0xac/0x230 arch/arm64/kernel/syscall.c:132
 do_el0_svc+0x40/0x58 arch/arm64/kernel/syscall.c:151
 el0_svc+0x50/0x180 arch/arm64/kernel/entry-common.c:712
 el0t_64_sync_handler+0x100/0x12c arch/arm64/kernel/entry-common.c:730
 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598

The buggy address belongs to the object at ffff000011a80a00
 which belongs to the cache kmalloc-8 of size 8
The buggy address is located 0 bytes inside of
 freed 8-byte region [ffff000011a80a00, ffff000011a80a08)

The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x51a80
anon flags: 0x1ffc00000000000(node=0|zone=0|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 01ffc00000000000 ffff00000d401500 0000000000000000 dead000000000001
raw: 0000000000000000 0000000080800080 00000001f5000000 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff000011a80900: fa fc fc fc fa fc fc fc 00 fc fc fc fa fc fc fc
 ffff000011a80980: fa fc fc fc fa fc fc fc fa fc fc fc 04 fc fc fc
>ffff000011a80a00: fa fc fc fc fa fc fc fc fa fc fc fc fa fc fc fc
                   ^
 ffff000011a80a80: fa fc fc fc fa fc fc fc fa fc fc fc fa fc fc fc
 ffff000011a80b00: fa fc fc fc fa fc fc fc fa fc fc fc fa fc fc fc
==================================================================

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2024/10/25 03:39 upstream 4e46774408d9 c79b8ca5 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu2-arm64 KASAN: slab-use-after-free Read in nla_put
* Struck through repros no longer work on HEAD.