syzbot


KASAN: use-after-free Read in find_match

Status: fixed on 2020/04/15 17:19
Fix commit: 44bfa9c5e5f0 net: rtnetlink: fix bugs in rtnl_alt_ifname()
First crash: 1522d, last: 1515d
Cause bisection: introduced by (bisect log) :
commit 36fbf1e52bd3ff8a5cb604955eedfc9350c2e6cc
Author: Jiri Pirko <jiri@mellanox.com>
Date: Mon Sep 30 09:48:16 2019 +0000

  net: rtnetlink: add linkprop commands to add and delete alternative ifnames

Crash: KASAN: use-after-free Read in find_match (log)
Repro: C syz .config
  

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in __read_once_size include/linux/compiler.h:199 [inline]
BUG: KASAN: use-after-free in __in6_dev_get include/net/addrconf.h:309 [inline]
BUG: KASAN: use-after-free in ip6_ignore_linkdown include/net/addrconf.h:400 [inline]
BUG: KASAN: use-after-free in find_match+0xb39/0xc90 net/ipv6/route.c:749
Read of size 8 at addr ffff8880a022e320 by task kworker/0:22/2853

CPU: 0 PID: 2853 Comm: kworker/0:22 Not tainted 5.6.0-rc2-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: ipv6_addrconf addrconf_dad_work
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x197/0x210 lib/dump_stack.c:118
 print_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:374
 __kasan_report.cold+0x1b/0x32 mm/kasan/report.c:506
 kasan_report+0x12/0x20 mm/kasan/common.c:641
 __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:135
 __read_once_size include/linux/compiler.h:199 [inline]
 __in6_dev_get include/net/addrconf.h:309 [inline]
 ip6_ignore_linkdown include/net/addrconf.h:400 [inline]
 find_match+0xb39/0xc90 net/ipv6/route.c:749
 __find_rr_leaf+0x14e/0x750 net/ipv6/route.c:837
 find_rr_leaf net/ipv6/route.c:858 [inline]
 rt6_select net/ipv6/route.c:902 [inline]
 fib6_table_lookup+0x697/0xdb0 net/ipv6/route.c:2170
 ip6_pol_route+0x1f6/0xa70 net/ipv6/route.c:2206
 ip6_pol_route_input+0x65/0x80 net/ipv6/route.c:2264
 fib6_rule_lookup+0x133/0x7d0 net/ipv6/fib6_rules.c:114
 ip6_route_input_lookup+0xb7/0xd0 net/ipv6/route.c:2276
 ip6_route_input+0x5f0/0xa40 net/ipv6/route.c:2445
 ip6_rcv_finish_core.isra.0+0x174/0x590 net/ipv6/ip6_input.c:63
 ip6_rcv_finish+0x17a/0x310 net/ipv6/ip6_input.c:74
 NF_HOOK include/linux/netfilter.h:307 [inline]
 NF_HOOK include/linux/netfilter.h:301 [inline]
 ipv6_rcv+0x10e/0x420 net/ipv6/ip6_input.c:306
 __netif_receive_skb_one_core+0x113/0x1a0 net/core/dev.c:5198
 __netif_receive_skb+0x2c/0x1d0 net/core/dev.c:5312
 process_backlog+0x226/0x780 net/core/dev.c:6144
 napi_poll net/core/dev.c:6582 [inline]
 net_rx_action+0x508/0x1120 net/core/dev.c:6650
 __do_softirq+0x262/0x98c kernel/softirq.c:292
 do_softirq_own_stack+0x2a/0x40 arch/x86/entry/entry_64.S:1082
 </IRQ>
 do_softirq.part.0+0x11a/0x170 kernel/softirq.c:337
 do_softirq kernel/softirq.c:329 [inline]
 __local_bh_enable_ip+0x211/0x270 kernel/softirq.c:189
 local_bh_enable include/linux/bottom_half.h:32 [inline]
 rcu_read_unlock_bh include/linux/rcupdate.h:690 [inline]
 ip6_finish_output2+0x1101/0x25c0 net/ipv6/ip6_output.c:117
 __ip6_finish_output+0x444/0xaa0 net/ipv6/ip6_output.c:142
 ip6_finish_output+0x38/0x1f0 net/ipv6/ip6_output.c:152
 NF_HOOK_COND include/linux/netfilter.h:296 [inline]
 ip6_output+0x25e/0x880 net/ipv6/ip6_output.c:175
 dst_output include/net/dst.h:436 [inline]
 NF_HOOK include/linux/netfilter.h:307 [inline]
 ndisc_send_skb+0xf1f/0x1490 net/ipv6/ndisc.c:505
 ndisc_send_ns+0x3a9/0x850 net/ipv6/ndisc.c:647
 addrconf_dad_work+0xbf3/0x11d0 net/ipv6/addrconf.c:4120
 process_one_work+0xa05/0x17a0 kernel/workqueue.c:2264
 worker_thread+0x98/0xe40 kernel/workqueue.c:2410
 kthread+0x361/0x430 kernel/kthread.c:255
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352

Allocated by task 9871:
 save_stack+0x23/0x90 mm/kasan/common.c:72
 set_track mm/kasan/common.c:80 [inline]
 __kasan_kmalloc mm/kasan/common.c:515 [inline]
 __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:488
 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:529
 __do_kmalloc_node mm/slab.c:3616 [inline]
 __kmalloc_node+0x4e/0x70 mm/slab.c:3623
 kmalloc_node include/linux/slab.h:578 [inline]
 kvmalloc_node+0x68/0x100 mm/util.c:574
 kvmalloc include/linux/mm.h:645 [inline]
 kvzalloc include/linux/mm.h:653 [inline]
 alloc_netdev_mqs+0x98/0xe40 net/core/dev.c:9797
 rtnl_create_link+0x22d/0xaf0 net/core/rtnetlink.c:3047
 __rtnl_newlink+0xf9f/0x1790 net/core/rtnetlink.c:3309
 rtnl_newlink+0x69/0xa0 net/core/rtnetlink.c:3377
 rtnetlink_rcv_msg+0x45e/0xaf0 net/core/rtnetlink.c:5438
 netlink_rcv_skb+0x177/0x450 net/netlink/af_netlink.c:2477
 rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:5456
 netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline]
 netlink_unicast+0x59e/0x7e0 net/netlink/af_netlink.c:1328
 netlink_sendmsg+0x91c/0xea0 net/netlink/af_netlink.c:1917
 sock_sendmsg_nosec net/socket.c:652 [inline]
 sock_sendmsg+0xd7/0x130 net/socket.c:672
 __sys_sendto+0x262/0x380 net/socket.c:1998
 __do_sys_sendto net/socket.c:2010 [inline]
 __se_sys_sendto net/socket.c:2006 [inline]
 __x64_sys_sendto+0xe1/0x1a0 net/socket.c:2006
 do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 9871:
 save_stack+0x23/0x90 mm/kasan/common.c:72
 set_track mm/kasan/common.c:80 [inline]
 kasan_set_free_info mm/kasan/common.c:337 [inline]
 __kasan_slab_free+0x102/0x150 mm/kasan/common.c:476
 kasan_slab_free+0xe/0x10 mm/kasan/common.c:485
 __cache_free mm/slab.c:3426 [inline]
 kfree+0x10a/0x2c0 mm/slab.c:3757
 __netdev_name_node_alt_destroy+0x1ff/0x2a0 net/core/dev.c:322
 netdev_name_node_alt_destroy+0x57/0x80 net/core/dev.c:334
 rtnl_alt_ifname net/core/rtnetlink.c:3518 [inline]
 rtnl_linkprop.isra.0+0x575/0x6f0 net/core/rtnetlink.c:3567
 rtnl_dellinkprop+0x46/0x60 net/core/rtnetlink.c:3588
 rtnetlink_rcv_msg+0x45e/0xaf0 net/core/rtnetlink.c:5438
 netlink_rcv_skb+0x177/0x450 net/netlink/af_netlink.c:2477
 rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:5456
 netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline]
 netlink_unicast+0x59e/0x7e0 net/netlink/af_netlink.c:1328
 netlink_sendmsg+0x91c/0xea0 net/netlink/af_netlink.c:1917
 sock_sendmsg_nosec net/socket.c:652 [inline]
 sock_sendmsg+0xd7/0x130 net/socket.c:672
 ____sys_sendmsg+0x753/0x880 net/socket.c:2343
 ___sys_sendmsg+0x100/0x170 net/socket.c:2397
 __sys_sendmsg+0x105/0x1d0 net/socket.c:2430
 __do_sys_sendmsg net/socket.c:2439 [inline]
 __se_sys_sendmsg net/socket.c:2437 [inline]
 __x64_sys_sendmsg+0x78/0xb0 net/socket.c:2437
 do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at ffff8880a022e000
 which belongs to the cache kmalloc-4k of size 4096
The buggy address is located 800 bytes inside of
 4096-byte region [ffff8880a022e000, ffff8880a022f000)
The buggy address belongs to the page:
page:ffffea0002808b80 refcount:1 mapcount:0 mapping:ffff8880aa402000 index:0x0 compound_mapcount: 0
flags: 0xfffe0000010200(slab|head)
raw: 00fffe0000010200 ffffea0002481a88 ffffea00027ec888 ffff8880aa402000
raw: 0000000000000000 ffff8880a022e000 0000000100000001 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8880a022e200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8880a022e280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8880a022e300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                               ^
 ffff8880a022e380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8880a022e400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (142):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2020/02/22 06:25 upstream b0dd1eb220c0 2ffa6679 .config console log report syz C ci-upstream-kasan-gce
2020/02/21 14:51 upstream ca7e1fd1026c bd2a74a3 .config console log report syz C ci-upstream-kasan-gce-smack-root
2020/02/21 14:27 upstream ca7e1fd1026c bd2a74a3 .config console log report syz C ci-upstream-kasan-gce-selinux-root
2020/02/21 12:48 upstream ca7e1fd1026c bd2a74a3 .config console log report syz C ci-upstream-kasan-gce-selinux-root
2020/02/21 12:19 upstream ca7e1fd1026c bd2a74a3 .config console log report syz C ci-upstream-kasan-gce-selinux-root
2020/02/21 11:47 upstream ca7e1fd1026c bd2a74a3 .config console log report syz C ci-upstream-kasan-gce-selinux-root
2020/02/21 10:52 upstream ca7e1fd1026c bd2a74a3 .config console log report syz C ci-upstream-kasan-gce-selinux-root
2020/02/21 02:50 upstream ca7e1fd1026c bd2a74a3 .config console log report syz C ci-upstream-kasan-gce
2020/02/21 00:23 upstream ca7e1fd1026c bd2a74a3 .config console log report syz C ci-upstream-kasan-gce-selinux-root
2020/02/20 17:39 upstream ca7e1fd1026c 81230308 .config console log report syz C ci-upstream-kasan-gce-selinux-root
2020/02/20 15:49 upstream ca7e1fd1026c 81230308 .config console log report syz C ci-upstream-kasan-gce-selinux-root
2020/02/20 14:38 upstream ca7e1fd1026c 81230308 .config console log report syz C ci-upstream-kasan-gce-selinux-root
2020/02/20 13:58 upstream ca7e1fd1026c 81230308 .config console log report syz C ci-upstream-kasan-gce-selinux-root
2020/02/20 01:39 upstream 4b205766d8fc b690a6e3 .config console log report syz C ci-upstream-kasan-gce-root
2020/02/20 00:49 upstream 4b205766d8fc b690a6e3 .config console log report syz C ci-upstream-kasan-gce-root
2020/02/19 22:41 upstream 4b205766d8fc b690a6e3 .config console log report syz C ci-upstream-kasan-gce-root
2020/02/19 22:06 upstream 4b205766d8fc b690a6e3 .config console log report syz C ci-upstream-kasan-gce-root
2020/02/19 14:13 upstream 0a44cac81050 135c18aa .config console log report syz C ci-upstream-kasan-gce-root
2020/02/19 12:13 upstream 0a44cac81050 135c18aa .config console log report syz C ci-upstream-kasan-gce-selinux-root
2020/02/19 10:34 upstream 0a44cac81050 135c18aa .config console log report syz C ci-upstream-kasan-gce-selinux-root
2020/02/19 09:02 upstream 0a44cac81050 135c18aa .config console log report syz C ci-upstream-kasan-gce-selinux-root
2020/02/19 08:23 upstream 0a44cac81050 135c18aa .config console log report syz C ci-upstream-kasan-gce-selinux-root
2020/02/19 07:51 upstream 0a44cac81050 135c18aa .config console log report syz C ci-upstream-kasan-gce-selinux-root
2020/02/19 05:32 upstream 0a44cac81050 135c18aa .config console log report syz C ci-upstream-kasan-gce-smack-root
2020/02/18 21:33 upstream b1da3acc781c 012fbc32 .config console log report syz C ci-upstream-kasan-gce-selinux-root
2020/02/18 21:21 upstream b1da3acc781c 012fbc32 .config console log report syz C ci-upstream-kasan-gce-root
2020/02/18 20:52 upstream b1da3acc781c 012fbc32 .config console log report syz C ci-upstream-kasan-gce-selinux-root
2020/02/18 19:58 upstream b1da3acc781c 012fbc32 .config console log report syz C ci-upstream-kasan-gce-selinux-root
2020/02/18 13:20 upstream 11a48a5a18c6 1ce142dc .config console log report syz C ci-upstream-kasan-gce-root
2020/02/18 12:03 upstream 11a48a5a18c6 1ce142dc .config console log report syz C ci-upstream-kasan-gce-root
2020/02/18 11:29 upstream 11a48a5a18c6 1ce142dc .config console log report syz C ci-upstream-kasan-gce-root
2020/02/18 05:49 upstream 11a48a5a18c6 1ce142dc .config console log report syz C ci-upstream-kasan-gce-smack-root
2020/02/18 04:36 upstream 11a48a5a18c6 1ce142dc .config console log report syz C ci-upstream-kasan-gce-smack-root
2020/02/18 03:58 upstream 11a48a5a18c6 1ce142dc .config console log report syz C ci-upstream-kasan-gce-root
2020/02/18 03:45 upstream 11a48a5a18c6 1ce142dc .config console log report syz C ci-upstream-kasan-gce-smack-root
2020/02/18 03:19 upstream 11a48a5a18c6 1ce142dc .config console log report syz C ci-upstream-kasan-gce-smack-root
2020/02/18 02:42 upstream 11a48a5a18c6 1ce142dc .config console log report syz C ci-upstream-kasan-gce-smack-root
2020/02/17 20:50 upstream 11a48a5a18c6 2b411596 .config console log report syz C ci-upstream-kasan-gce-root
2020/02/17 20:34 upstream 11a48a5a18c6 2b411596 .config console log report syz C ci-upstream-kasan-gce
2020/02/17 19:27 upstream 11a48a5a18c6 2b411596 .config console log report syz C ci-upstream-kasan-gce-root
2020/02/15 18:52 upstream 2019fc96af22 5d7b90f1 .config console log report syz C ci-upstream-kasan-gce-smack-root
2020/02/22 09:15 upstream b0dd1eb220c0 2ffa6679 .config console log report syz C ci-upstream-kasan-gce-386
2020/02/21 01:07 upstream ca7e1fd1026c bd2a74a3 .config console log report syz C ci-upstream-kasan-gce-386
2020/02/18 21:24 upstream b1da3acc781c 012fbc32 .config console log report syz C ci-upstream-kasan-gce-386
2020/02/17 19:24 upstream 11a48a5a18c6 2b411596 .config console log report syz C ci-upstream-kasan-gce-386
2020/02/22 08:05 net-next-old 5f9721a2d119 2ffa6679 .config console log report syz C ci-upstream-net-kasan-gce
2020/02/22 02:32 net-next-old 5f9721a2d119 2ffa6679 .config console log report syz C ci-upstream-net-kasan-gce
2020/02/21 22:27 upstream ca7e1fd1026c 2ffa6679 .config console log report ci-upstream-kasan-gce-selinux-root
2020/02/20 20:06 upstream ca7e1fd1026c bd2a74a3 .config console log report ci-upstream-kasan-gce-selinux-root
2020/02/19 19:40 upstream 4b205766d8fc b690a6e3 .config console log report ci-upstream-kasan-gce-selinux-root
2020/02/19 03:29 upstream 0a44cac81050 135c18aa .config console log report ci-upstream-kasan-gce-smack-root
2020/02/18 16:21 upstream b1da3acc781c 012fbc32 .config console log report ci-upstream-kasan-gce-selinux-root
2020/02/18 02:01 upstream 11a48a5a18c6 1ce142dc .config console log report ci-upstream-kasan-gce-selinux-root
2020/02/17 10:46 upstream 11a48a5a18c6 2b411596 .config console log report ci-upstream-kasan-gce
2020/02/16 23:45 upstream 11a48a5a18c6 1f448cd6 .config console log report ci-upstream-kasan-gce-root
2020/02/16 11:34 upstream db70e26e33ee cf914200 .config console log report ci-upstream-kasan-gce-selinux-root
2020/02/16 10:21 upstream db70e26e33ee cf914200 .config console log report ci-upstream-kasan-gce
2020/02/16 08:28 upstream db70e26e33ee 5d7b90f1 .config console log report ci-upstream-kasan-gce
2020/02/16 06:19 upstream 829e69446995 5d7b90f1 .config console log report ci-upstream-kasan-gce
2020/02/16 00:56 upstream 829e69446995 5d7b90f1 .config console log report ci-upstream-kasan-gce-selinux-root
2020/02/15 20:25 upstream 829e69446995 5d7b90f1 .config console log report ci-upstream-kasan-gce-root
2020/02/15 20:19 upstream 829e69446995 5d7b90f1 .config console log report ci-upstream-kasan-gce-smack-root
2020/02/15 18:55 upstream 2019fc96af22 5d7b90f1 .config console log report ci-upstream-kasan-gce-smack-root
2020/02/15 18:35 upstream 2019fc96af22 5d7b90f1 .config console log report ci-upstream-kasan-gce-386
2020/02/21 20:00 net-next-old 5f9721a2d119 2ffa6679 .config console log report ci-upstream-net-kasan-gce
2020/02/16 10:10 linux-next 9f01828e9e16 cf914200 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/02/16 08:39 linux-next 9f01828e9e16 5d7b90f1 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/02/15 18:28 linux-next 9f01828e9e16 5d7b90f1 .config console log report ci-upstream-linux-next-kasan-gce-root
* Struck through repros no longer work on HEAD.